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Abstract 

Natural  intuition  organizes  experience  into  a  linear  sequence  of  discrete  events,  but  this  approach  is 
inappropriate  for  asynchronous  distributed  systems,  where  information  i .  distributed  and  percep¬ 
tion  is  delayed.  Distributed  environments  require  a  distributed  notion  of  time,  to  abstract  away  not 
only  irrelevant  physical  detail  but  also  irrelevant  temporal  and  computational  detail.  By  expressing 
distributed  systems  concepts  that  are  difficult  to  talk  about  in  terms  of  real  time  and  by  distin¬ 
guishing  what  really  “happens”  from  what  physically  occurred,  a  theory  of  distributed  time  would 
provide  a  natural  framework  for  solving  problems  in  distributed  environments.  This  paper  lays  the 
groundwork  for  that  claim  by  formally  building  such  a  theory.  This  research  improves  on  previous 
work  on  time  in  distributed  systems  by  supporting  temporal  relations  more  general  than  partial 
orders,  by  supporting  abstraction  through  multiple  levels  of  temporal  relations,  by  separating  the 
family  of  temporal  relations  an  application  consults  from  the  particular  clock  implementations  that 
track  them,  and  by  providing  a  single  arena  to  consider  these  issues  for  a  wide  range  of  applications. 
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Chapter  1 
Introduction 


Traditionally,  we  think  of  computation  as  some  set  of  things  that  happen.  Since  things  happen  in 
real  time,  we  can  use  real  time  to  organize  these  events  into  a  linear  sequence.  By  imposing  a 
discrete  structure  on  events,  this  traditional  view  already  performs  abstraction:  full  physical  detail 
does  not  express  what  really  “happens.”  The  advent  of  asynchronous  distributed  computation 
extends  this  abstraction  to  time:  if  two  events  occur  without  knowledge  of  each  other,  then  their 
real  time  sequence  does  not  matter  [La78,Pr86].  Expressing  what  really  “happens”  in  a  distributed 
computation  requires  a  theory  of  distributed  time  that  abstracts  away  both  irrelevant  physical  detail 
and  irrelevant  temporal  detail. 

A  theory  of  distributed  time  has  practical  motivations  and  uses.  Many  application  problems  in 
asynchronous  distributed  systems  reduce  to  asking  questions  about  temporal  relations  other  than 
the  natural  real  time  sequence.  Thinking  in  terms  of  these  alternative  temporal  relations  would 
clarify  these  problems;  providing  clocks  for  these  relations  would  simplify  protocol  design.  Indeed, 
building  protocols  for  these  problems  requires  confronting  these  clock  issues  in  one  form  or  another. 
However,  doing  wonderful  things  with  alternative  temporal  relations  requires  understanding  the 
underlying  framework.  This  paper  considers  the  question  of  the  appropriate  notion  of  time  for 
distributed  systems,  and  develops  formal  mechanisms  for  a  theory  of  distributed  time.  Later  papers 
will  use  these  mechanisms  to  build  a  framework  for  secure  applications. 

Previous  research  developed  the  notion  of  time  as  a  partial  order.  Lamport  [La78]  used  partial 
orders  to  track  causal  dependency  in  distributed  systems;  Pratt  [Pr86]  argued  for  the  universality 
of  partial  order  time.  Fidge  [Fi88]  and  Mattem  [Ma891  explored  partial  order  time  and  built  vector 
clocks;  the  author  explored  security  issues  in  tracking  partial  order  time.*  Other  research  includes 
calls  for  departing  from  the  order  of  real  time  ([Je85]  uses  total  orders;  [Gr75]  uses  partial  orders), 
and  explorations  of  the  role  of  partial  orders  and  asynchrony  in  application  problems  such  as 
communication  [BiJo87,  PBS89],  distributed  debugging  [Fi89,  Sp89],  deadlock  detection  [Ma87, 
TaLo91],  distributed  snapshots  [ChLa85,  Ma93],  and  rollback  recovery  [StYe85,  Jo89,  JoZw90, 
PeKe93]. 

This  paper  improves  on  earlier  work  by  providing  a  single,  general  theory  of  distributed  time 
suitable  for  a  wide  range  of  applications.  By  supporting  temporal  relations  more  general  than 


'The  author’s  Ph.D.  proposal  (Sm91]  discusses  these  issues,  and  presents  a  secure  protocol  for  partial  order  time. 
[ReGo93]  also  explores  security  for  partial  order  clocks;  more  recent  work  by  the  author  [SmTy93]  improves  on  these 
earlier  protocols.  [AmJa93]  considers  some  related  security  issues. 
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partial  orders^  and  by  supporting  hierarchies  of  temporal  abstraction,  this  theory  can  express  the 
computational  abstraction  appropriate  for  families  of  application  problems.  By  providing  a  general 
approach  to  distributed  time,  this  theory  allows  us  to  unify  in  a  single  framework  protocols  that 
separately  consult  and  affect  time,  and  to  consider  once  the  clock  issues  central  to  each  separate 
protocol.  By  introducing  orthogonality  between  temporal  relations  and  the  clocks  that  track  them, 
this  theory  allows  us  to  consider  (and  alter)  clock  implementations  without  changing  higher-level 
protocols. 

The  author’s  current  research  [Sm94]  involves  building  a  single  arena  to  analyze  the  tempo¬ 
ral  aspects  of  distributed  application  problems,  to  design  protocols  in  terms  of  distributed  time 
primitives,  and  to  independently  consider  secure  implementations  of  these  primitives.  This  paper 
provides  a  theoretical  foundation  for  that  work. 


1 .1 .  Describing  Computation 

Loosely  speaking,  we  use  time  to  identify  the  things  that  happen  and  the  order  in  which  they 
happen.  What  is  the  best  way  to  describe  what  actually  “happens”  in  a  computation? 


Describing  Physicai  Reaiity  On  a  basic  level,  computation  is  a  physical  activity.  Physical 
devices  react  to  each  other  and  the  environment  as  time  progresses.  From  this  perspective,  the 
best  description  is  a  straightforward  record  of  the  physical  activity:  the  notebook  of  an  omniscient 
observer  who,  each  time  something  changes,  glances  at  his  watch  and  jots  down  what  occurred  and 
when.  Figure  1.1  gives  a  toy  example. 


Abstracting  to  Discrete  Events  However,  merely  recording  physical  activity  is  too  naive. 
Even  the  above  toy  example  reveals  a  fundamental  problem  with  this  approach:  granularity. 
Recording  a  list  requires  imposing  a  granularity  on  actions:  one  thing  happens,  then  another,  then 
another.  This  imposition  raises  two  issues. 

First,  the  granularity  we  desire  when  describing  computation  is  usually  far  coarser  than  the  level 
in  an  exhaustive  physical  description.  A  computational  event  represents  some  bundle  of  physical 
events.  Figure  1.2  illustrates  this  abstraction. 


0:01  0:03  0:04  0:07  0:08  0:09  0:11  0:13 
LDRl  INRl  STRl  NOP  LDRl  LDR2  ADD  STRl 

Figure  1 .1  An  example  of  an  exhaustive  physical  description 
is  a  timestamped  list  of  machine  instructions. 


^For  example,  non-transitive  relations  and  cyclic  relations  both  have  some  use. 
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Figure  1 .2  We  may  abstract  away  from  the  physical  description  by  bundling  basic 
physical  events  into  computational  events.  The  detailed  machine  code  becomes 
“event  Ai,  then  event  Az” 


Secondly,  even  constructing  an  exhaustive  physical  description  begs  the  granularity  question. 
Why  should  we  record  machine  instructions,  rather  than  gate  firings,  transistor  activity,  or  subatomic 
particles?  Event  abstraction  continues  at  lower  layers.  Figure  1.3  sketches  one  approach. 


Abstracting  from  Real  Time  If  physical  computation  is  taking  place  in  a  distributed  environ¬ 
ment,  then  the  physical  description  should  indicate  not  only  when  things  happen,  but  also  where. 
The  computational  level  should  leave  concurrent  any  events  that  represent  simultaneous  activity. 
(See  Figure  1.4.) 

Suppose  the  system  is  asynchronous  as  well.  Events  A  and  B  were  not  genuinely  simultaneous 
but  only  apparently  simultaneous:  that  is,  they  had  no  knowledge  of  each  other.  Then  we  may  still 
want  to  leave  them  unordered.  (See  Figure  1.5.) 
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Figure  1.3  The  physical  description  is  itself  an  abstraction:  each  instruction  may 
represent  gate  firings  or  transistor  actions.  The  level  of  description  we  choose  for 
our  base  is  essentially  arbitrary. 
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Figure  1 .4  Abstract  events  Ai  and  Bi  represent  genuinely  simultaneous 
computation;  we  regard  these  events  as  concurrent. 
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Figure  1.5  Abstract  events  Ai  and  Si  now  represent  computation  that  only  “ap¬ 
pears"  simultaneous:  nevertheless,  we  still  regard  these  events  as  concurrent. 
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Lacking  any  access  to  real-time  clocks  and  unable  to  perceive  each  other  except  through 
messages,  process  p  and  process  q  cannot  distinguish  the  actual  physical  order  of  A  and  B  in 
this  example.  Hence  we  have  not  just  condensed  physical  activity  to  events  and  removed  edges; 
we  have  condensed  a  set  of  physical  descriptions  to  a  single  computational  description.  (See 
Figure  1.6.)  The  processes  should  not  know  which  physical  description  in  this  class  is  the  “true” 
description. 


Abstracting  from  Abstractions  Situations  arise  when  even  a  single  layer  of  abstraction 
does  not  suffice.  For  example,  consider  the  problem  of  rollback:  modifying  the  computation 
so  that  certain  events  appear  to  have  never  occurred.  (Rollback  arises  arises  when  considering 
fault-tolerance  and  checkpointing  [Jo89,  JoZw90),  and  will  be  considered  in  subsequent  work.) 
Suppose  process  p  wants  to  roll  back  event  A2  and  execute  A2  instead.  Initially  we  pretended 
that  the  computational  description,  not  the  physical  description,  is  what  “really  happens.”  But  now 
we  want  to  ignore  detail  in  the  computational  description  as  well — we  want  to  abstract  away  the 
original  event  A2,  and  the  rolled  back  computation  that  depended  on  it.  Figure  1.7  sketches  how 
rollback  induces  two  levels  of  abstraction. 
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Figure  1.6  An  abstract  computation  graph  represents  a  set  of  possible  physical 
computations.  Once  we  abstract  to  the  graph,  we  forget  the  presumably  irrelevant 
physical  detail. 
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Figure  1 .7  Rollback  induces  two  levels  of  abstraction.  We  prune  away  irrelevant 
machine  details  to  obtain  description  a;  however,  we  presumably  want  to  prune 
away  irrelevant  rollback  details  to  obtain  the  “real”  description  /?. 

1 .2.  Distributed  Time 


These  informal  sketches  demonstrate  some  issues  critical  to  building  a  theory  of  time. 

•  We  want  to  represent  a  computation  as  some  abstract  set  of  “things  that  happen,”  with  a 
relation  indicating  the  temporal  order  in  which  these  things  happened. 

•  The  components  in  these  abstractions  themselves  represent  various  parts  of  the  exhaustive 
physical  description. 

•  These  abstractions  should  permit  temporal  relations  more  general  than  that  of  linear  time. 

The  rollback  example  of  Section  1.1  motivates  two  more  issues: 

•  We  need  to  distinguish  between  the  way  we  obtain  the  abstract  representations,  and  the 
representations  themselves  (since  we  may  have  multiple  routes  to  the  same  representation). 

•  We  will  want  to  apply  abstractions  to  abstractions. 

We  conclude  that  a  general  theory  of  distributed  time  should  contain  three  components: 

•  a  standard  format  for  these  abstract  representations  (so  we  can  talk  about  computations) 

•  a  way  to  specify  time  models:  representational  transformations  on  these  objects  (so  we  can 
abstract  from  one  representation  to  another) 
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•  a  way  to  translate  some  level  of  physical  description  into  this  format  (so  our  chains  of 
abstraction  have  some  footing  in  reality) 

Once  we  develop  a  framework  for  distributed  time,  the  challenge  remains  of  developing  and 

using  models  in  this  framework.  Our  sketches  in  Section  1.1  featured  two  implicit  goals: 

•  to  express  the  ordering  that  processes  in  an  asynchronous  distributed  system  perceive 

•  to  use  some  natural  level  of  discrete  events 

Initially  we  see  two  principal  motivations  for  using  distributed  time  models: 

Best  Approximation  of  Reaiity  If  the  complete  physical  description  is  unavailable,  our  time 
model  should  express  as  much  as  we  can  know  about  it. 

Convenient  Expressiveness  If  the  complete  physical  description  obscures  key  concepts,  then 
our  time  model  should  provide  a  more  appropriate  description. 

The  rollback  example  of  Section  1.1  raises  a  third  motivation: 

Virtual  Computation  If  the  processes  collectively  pretend  that  the  “current”  computation  differs 
from  the  one  a  complete  physical  description  would  record,  then  our  time  model  should 
express  this  abstraction. 

If  an  application  problem  broaches  these  issues,  then  distributed  time  will  be  relevant  to  that 

application.  We  quickly  sketch  a  few  examples: 

•  The  problem  of  distributed  snapshots  consists  of  one  process  trying  to  take  a  snapshot  of 
the  state  of  the  system  at  some  instant.  Distribution  and  asynchrony  impose  knowledge 
limitations  that  make  this  task  difficult:  anything  that  the  process  can  perceive  about  the  rest 
of  the  system  is  out-of-date. 

•  The  problem  of  orphan  detection  requires  determining  if  a  given  event  might  have  perceived 
(and  thus  depend  on)  an  aborted  event.  This  perceive/depend  relation  forms  a  partial  order — 
real  time  alone  fails  to  give  enough  information. 

•  The  problem  of  rollback  requires  modifying  the  computation  to  pretend  that  a  simpler  one 
(or  at  least  a  different  one)  occurred.  The  processes  cooperate  to  add  an  additional  level 
of  abstraction,  and  this  new  level — describing  a  fault-free  computation  that  never  really 
happened — becomes  the  “real”  computation. 

Chapter  15  will  return  to  these  topics,  and  subsequent  work  will  explore  them  more  thoroughly. 
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1 .3.  Overview  of  this  Paper 


This  paper  formally  develops  a  theory  of  distributed  time.  The  initial  goal  is  to  build  a  frameworic 
to  express  the  ordering  perceivable  in  asynchronous  distributed  systems;  however,  the  framework 
will  extend  to  wider  domains. 

As  we  already  observed,  computation  is  fundamentally  a  physical  activity;  hence  talking  about 
abstract  representations  of  computation  requires  choosing  some  arbitrary  level  of  physical  de¬ 
scription.  Part  I  presents  our  system  model,  the  level  of  physical  description  we  choose  for  this 
work. 

Part  II  builds  the  machinery  for  time  models.  This  construction  follows  the  schema  of 
Section  1.2;  we  develop  a  computation  graph  format  for  abstract  representations,  translate  the 
physical  description  into  this  format,  and  build  a  family  of  representational  transformations 

Part  III  explores  the  relationship  between  modeled  time  and  real  time — the  relationship  between 
logical  simultaneity  and  genuine  simultaneity.  We  extend  the  time  model  machinery  to  apply  to 
parallel  computation,  and  we  explore  timeslices:  sets  of  logically  simultaneous  events. 

Chapter  15  concludes  this  paper  by  discussing  the  second  half  of  the  problem:  using  this  theory 
of  time  as  a  framework  for  a  secure  applications. 

(A  guide  to  the  symbols  and  terminology  we  use  follows  the  text  of  this  paper.) 
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Parti 


Computation 


The  immediate  focus  of  our  work  is  building  time  models  for  computation  in  asynchronous  dis¬ 
tributed  systems.  However,  before  we  can  build  models,  we  need  to  specify  the  things  we  want  to 
model.  Part  I  handles  this  task.  Chapter  2  presents  the  formalism  we  use  for  our  distributed  system 
system:  a  collection  of  finite  automata  communicating  with  each  other,  and  with  the  outside  world 
(via  I/O  devices,  also  automata).  Chapter  3  then  defines  the  system  trace  format  we  use  for  the 
ground-level,  exhaustive  physical  description  of  computation. 
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(Part  I) 


Chapter  2 
Systems 


A  process  is  a  sequential,  localized  computational  entity.  A  process  may  interact  with  its  local 
environment  through  a  collection  of  I/O  devices.  A  system  is  a  finite  collection  of  processes  and  I/O 
devices.  Processes  and  I/O  devices  have  unique  names.  For  a  given  system,  let  PROC-NAMES 
be  the  set  of  process  names,  DEV-NAMES  the  set  of  I/O  device  names,  and  NAMES  be  their 
union.  (To  keep  things  simple,  we  assume  these  sets  are  static.) 

Processes  interact  with  each  other  and  with  the  I/O  devices  by  asynchronously  passing  messages 
that  arrive  either  once  (after  an  unpredictable  delay)  or  not  at  all.  (Thus,  the  system  does  not 
necessarily  preserve  message  order,  and  may  lose  messages.)  A  message  is  a  triple  indicating  the 
sender,  the  destination,  and  the  message  content.  Formally,  define 

MESSAGES  =  NAMES  x  NAMES  x  S 
where  E  is  the  set  of  finite  binary  strings. 


2.1.  Processes 

The  Automata  Model  internally,  a  process  is  a  deterministic  finite  automaton  operating  in  real 
time.  Each  process  has  a  finite  set  of  states  Q  (with  initial  state  go  €  Q)  and  a  send  queue  S  and 
a  receive  queue  R  from  MESSAGES*,*  (These  queues  are  not  necessarily  FIFO.)  Such  triples 
constitute  process  configurations: 

CONFIGS  =  Qx  MESSAGES*  x  MESSAGES* 

Transition  Functions  A  process  also  has  a  transition  function  6  that  specifies  transformations 
of  the  process  configuration. 

S :  CONFIGS^CONFIGS 


'The  notation  W*  denotes  the  set  of  strings  of  items  from  a  set  W. 


However,  not  just  any  function  will  do.  All  transition  functions  must  respect  the  operation  of  the 
send  and  receive  queues.  For  example,  the  send  queue  lists  the  messages  sent  by  this  process  that 
have  not  found  their  way  into  the  network  yet.  Transition  functions  must  treat  the  send  queues  as 
write-only. 

Exactly  how  a  transition  function  should  treat  the  receive  queue — the  list  of  messages  that  have 
arrived  at  that  process  but  have  not  yet  been  “received” — is  another  matter.  Should  a  process  be 
able  to  execute  only  “blocking  receives,”  where  a  receive  operation  causes  the  process  to  read 
a  message  off  its  queue  (if  the  queue  is  nonempty)  or  wait  indefinitely  until  a  message  arrives? 
Should  the  arrival  of  a  message  interrupt  the  process,  so  that  a  receive  happens  spontaneously  on 
the  arrival  of  a  message?  Or  should  a  process  have  a  poll  operation,  where  it  formally  determines 
if  a  message  is  waiting? 

A  Interrupt/Polling  S  As  an  example,  we  develop  a  specification  that  admits  transition  functions 
that  can  do  both  explicit  polling  and  spontaneous  interrupts. 


The  Informal  Version  We  want  such  a  to  allow  a  process  to  examine  its  current  state  and 
whether  or  not  the  receive  queue  is  empty.  This  information  alone  then  enables  one  of  three  types 
of  transitions: 

•  send:  the  process  changes  state  and  adds  a  message  to  the  send  queue. 

•  receive:  the  process  changes  state,  removes  a  message  from  the  receive  queue,  and  reads  it. 

•  compute:  the  process  only  changes  state  (without  modifying  the  queues). 

The  receive  transition  can  only  be  enabled  if  a  message  is  waiting,  and  only  in  a  receive  transition 
may  the  process  actually  examine  the  value  of  the  of  the  message  at  the  head  of  the  queue. 


The  Formal  Version  Let  empty  be  the  predicate  indicating  that  a  queue  is  empty.  Car 
return  the  first  element  of  a  nonempty  queue,  CDR  return  the  remainder,  and  append(s,  x)  return 
the  queue  s  with  the  element  x  appended. 


Axiom  2.1  (Interrupt! Poll)  There  exist  functions 


CLASS  :  Q  X  {truejalse] 
STATE,,  :  Q  X  {truejalse} 
STATEr :  Q  X  MESSAGES 
MESS  :  Q  X  {true, false} 


[send,  receive,  compute) 

Q 

Q 

MESSAGES 


such  that 


CLASS  ( 9,  x)  =  receive 


X  =  true 
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and 


(STATE„(9,  EMPTY(fi)),  APPEND(5,  MESS(9,  EMPTY(il)),  R) 
if  class(?,empty(/2))  =  send 

(STATEr(9,  CAR{fl)),  5,  CDR(i?)) 
ifCLASS(q,EMPTY(fl))  =  receive 

(state,.(9,  empty(/2)),  5,  R) 

if  class(?,empty(^))  =  compute 


This  paper  assumes  the  processes  in  the  example  systems  have  transition  functions  that  satisfy  this 
axiom. 


In  Real  Time  A  process  operates  in  real  time.  Each  process  receives  ticks;  at  each  tick,  the 
process  transforms  its  state  according  to  S.  This  paper  treats  transformations  as  instantaneous  (to 
insure  they  are  atomic),  and  assumes  a  past-closed  convention  (to  keep  state  well-defined).  If  a 
tick  occurs  at  time  u,  the  old  configuration  persists  for  t  <  u,  and  the  new  one  exists  for  <  >  u 
(until  the  next  tick). 

Since  the  processes  are  asynchronous,  these  ticks  occur  at  indeterminate  intervals,  indepen¬ 
dently  at  each  process.  However,  these  intervals  must  be  “reasonable.”  The  following  axiom 
presents  one  characterization  of  reasonableness. 

Axiom  2.2  (Discrete  Behavior)  In  any  finite  period  of  time,  a  process  receives  only 
a  finite  number  of  ticks. 


Philosophy  Central  to  the  family  of  time  systems  we  build  in  this  paper  is  the  assumption  that 
the  system  is  indeed  asynchronous  and  distributed.  Processes  have  no  access  to  real  time:  an 
outside  observer  can  generate  timestamps  from  God’s  wristwatch,  but  individual  processes  never 
get  to  look  at  this  device.  Further,  processes  may  perceive  the  rest  of  the  system  only  through  the 
messages  they  receive.^ 


2.2.  I/O  Devices 


Throughout  its  execution,  a  process  may  interact  with  local  parts  of  the  outside  world — perhaps  a 
hard  disk,  a  user  at  the  console,  or  a  fermentation  vat  with  sensors  and  valves.  From  a  process’s 


^Local  input  and  output  (through  I/O  devices)  provides  an  avenue  for  covert  communication  that  violates  this  distri¬ 
bution  requirement.  Such  pathology  lies  beyond  the  scope  of  this  paper  (but  subsequent  research  will  examine  this 
issue). 
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point  of  view,  these  lAD  devices  are  black  boxes.  The  process  can  communicate  with  them  and  may 
have  some  idea  of  what  they  might  be  doing,  but  the  environments  essentially  have  nondeterministic 
behavior  and  unobservable  state. 

Similar  to  processes,  I/O  devices  appear  in  our  model  as  automata,  with  a  set  of  states  Qoew 
(containing  initial  state  ^),  a  send  queue,  a  receive  queue,  configurations  of  the  form 

DEV-CONFIGS  =  Qdev  x  MESSAGES*  x  MESSAGES’ 
and  a  transition  function  S. 

An  I/O-device  automaton  differs  from  a  process  automaton  in  two  important  ways.  First,  the 
state  set  Qdev  may  be  countably  infinite  (since  the  real  world  can  be  fairly  complex).  Second, 
a  given  configuration  may  enable  transitions  to  several  new  configurations  (to  allow  for  the  ran¬ 
domizing  influence  of  the  outside  world).  The  transition  function  for  I/O-device  automata  maps 
configurations  to  sets  of  configurations:^ 

6  :  DEV-CONFIGS^P(DEV-CONFIGS) 

In  a  transition  from  configuration  c,  the  automaton  takes  on  one  of  the  new  configurations  from 
6(c)  nondeterministically. 

Each  process  has  a  (possibly  empty)  collection  of  I/O  devices.  We  make  the  simplifying 
assumption  that  these  collections  are  disjoint.  The  I/O  devices  that  a  process  uses  are  private  to 
that  process  (e.g.,  only  process  p  communicates  with  its  I/O  devices). 

As  with  process  automata,  asynchronous,  independent  ticks  (satisfying  the  Discrete  Behavior 
Axiom)  trigger  transitions  in  I/O-device  automata. 


2.3.  Message  Transmission 

The  previous  sections  presented  automata  models  for  process  behavior  and  I/O  devices.  This 
section  completes  the  picture  by  formally  describing  their  interaction:  message  transmission. 

A  process  automaton  (or  I/O-device  automaton)  sends  a  message  by  appending  it  to  the  send 
queue,  and  receives  a  message  by  examining  the  receive  queue  (according  to  its  6).  However, 
forces  external  to  the  actual  automata  determine  how  messages  get  from  one  queue  to  the  other. 
In  our  model,  a  message  added  to  a  send  queue  remains  there  an  indeterminate  amount  of  time, 
after  which  it  spontaneously  vanishes  into  the  ether.  The  message  might  arrive  in  the  appropriate 
receive  queue  after  some  unpredictable  positive  delay,  or  it  might  remain  in  the  ether  forever. 

As  with  configuration  transitions,  these  changes  are  past-closed  and  instantaneous:  the  old  state 
exists  for  time  t  <  u,  and  the  new  state  for  time  t  >  u. 


^The  notation  'P{W)  denotes  the  set  of  all  subsets  of  a  set  W, 
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(Conceivably,  we  may  wish  to  require  more  predictable  message  behavior  for  I/O  messages — 
such  as  bounded  transmission  time — because  of  their  connection  to  a  process  is  presumably  more 
reliable  than  the  network  between  processes.) 
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(Part  I) 


Chapter  3 
Traces 


Having  described  what  the  system  is,  we  now  describe  what  the  system  does. 


3.1 .  What  Influences  an  Execution 


A  system  consists  of  a  set  of  process  automata,  each  with  its  corresponding  I/O-device  automata.  In 
a  given  system,  each  process  has  an  individual  program.  In  a  particular  execution,  the  system  starts 
computation  at  time  t  =  0  with  each  process  and  I/O  device  in  its  initial  configuration  {qo,  0, 0). 
Naturally  the  program  at  each  automata  influence  how  the  configurations  evolve  in  this  execution. 
But  there  are  woollier  influences:  the  tick  sequences,  the  transitions  of  I/O-device  automata,  and 
the  lifetime  and  fate  of  messages. 

The  behavior  of  these  influences — the  delays  on  messages  and  ticks,  the  choices  of  state 
and  fate — ^is  unpredictable  from  the  point  of  view  of  a  process,  or  even  of  an  outside  observer 
with  perfect  knowledge  of  all  the  processes  (or  even  of  the  entire  system).  But  formalizing  this 
nondeterminism  is  tricky.  For  example,  what  mechanism  best  models  the  generation  of  a  process’s 
ticks  in  a  particular  execution?  A  simple  random  choice — e.g.,  at  time  t  the  process  obtains  a 
positive  real  A  at  random,  and  moves  again  a.tt  +  A — does  not  suffice.  Neither  does  obtaining  an 
increasing  sequence  from  a  set  of  permissible  sequences  (according  to  some  specified  distribution), 
nor  does  any  mechanism  obtaining  one  process’s  sequence  independently  from  the  other  sequences. 

In  reality,  the  universe  calculates  this  behavior.  The  delays  and  transitions  that  occur  in  a 
particular  execution  depend  on  the  state  of  the  universe  when  the  execution  commences.  But 
since  the  universe  is  a  fairly  intractable  beast,  in  our  model  things  just  happen  unpredictably.  We 
formally  acknowledge  this  lack  of  determinism. 


Axiom  3.1  In  an  execution,  any  pattern  of  behavior  (obeying  the  Finiteness  Axiom) 
may  occur. 
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3.2.  Observing  Computations 


An  execution  begins  when  an  outside  observer  sets  his  stopwatch  to  0  and  simultaneously  resets 
the  processes  and  their  I/O-devices  to  their  initial  configurations.  The  automata  rules  of  Chapter  2, 
and  the  particular  way  the  ticks,  state  choices,  and  message  fates  unfold,  allow  the  process  and 
I/O-device  configurations  to  be  well-defined  for  all  time  t  >  0. 

A  system  trace  is  a  discrete  representation  of  what  an  omniscient  observer  outside  the  system 
can  realistically  perceive  of  a  computation  over  a  finite  period  of  time.  In  a  particular  computation, 
the  observer  takes  a  finite  series  of  photos  of  the  system  and  jots  down  the  time  of  each  photo  on  the 
back.  We  assume  the  observer  is  lucky  enough  to  catch  all  the  action  by  taking  at  least  one  photo 
immediately  after  every  change  to  a  process  configuration:  after  every  process  tick,  and  after  every 
message  arriving  at  a  process’s  receive  queue  or  vanishing  from  a  process’s  send  queue.  (Since  the 
yO-device  automata  are  black  boxes,  we  shield  their  behavior  from  the  observer.) 

We  can  imagine  traces  to  be  tables,  with  one  column  for  each  photo.  In  each  column,  the  first 
row  contains  the  time  of  the  photo,  and  the  remaining  rows  (one  for  each  process)  contain  the 
process  configurations  that  the  photo  captures. 

Definition  3.2  Suppose  a  system  has  n  processes,  P\  through  P^.  A  system  trace 
is  a  finite  tuple  T  =  ((fo,  so)?  •••?  (4,5*)),  where  each  f,  is  a  nonnegative  integer  and 
each  Si  is  an  n-tuple  (c,  i , c,  „)  of  process  configurations,  such  that 

•  <0  <  4  <  •••  <  4 

•  consists  of  the  initial  configurations. 

•  There  exists  some  system  computation  such  that  each  c,  j  is  the  configuration  of 
process  Pj  at  time  f, 

•  For  this  computation,  let  «o  <  <  •  <  «m  be  the  sequence  of  time  values 

from  the  closed  interval  [4, 4]  at  which  a  process  ticks,  a  message  arrives  at  a 
process  receive  queue,  or  a  message  leaves  a  process  send  queue.  Then: 

-  to  <Uo 

”  ^  4 

-  For  each  j  <  m,  at  least  one  ti  falls  between  Uj  and  Uj+j. 
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Part  II 


Time  Models 


A  system  trace  provides  the  maximum  amount  of  physically  observable  information  about  a  com¬ 
putation.  However,  this  information  contains  too  much  detail  and  too  little  structure.  Consequently, 
we  develop  a  time  model  framework  for  transforming  the  detailed  representations  to  more  abstract 
representations.  Presumably,  these  abstract  representations  better  express  the  essential  aspects  of  a 
computation  by  abstracting  away  the  irrelevant  details. 

Part  II  builds  this  framework.  Chapter  4  develops  the  definition  of  time  models.  Chapter  5  ex¬ 
plores  some  basic  properties  of  time  models,  and  presents  some  basic  operators  (which  themselves 
take  the  form  of  time  models — abstracting  abstractions).  Chapter  6  develops  a  particular  family 
of  time  models  (to  express  the  hierarchy  of  abstractions)  from  real  time  or^ring  of  all  events  to 
partial  ordering  of  interesting  events.  Collections  of  models  suggest  some  natural  relationships; 
Chapter  7  explores  these  relationships. 
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(Part  II) 


Chapter  4 

Developing  a  Definition 


Loosely  speaking,  time  is  a  mechanism  for  ordering  things  that  happen.  Talking  about  a  computa¬ 
tion  requires  enumerating  the  things  that  happen  and  placing  some  type  of  order  on  them.  Hence, 
we  introduce  a  computation  graph  format  to  describe  a  computation  as  a  particular  set  of  “ordered”’ 
objects.  Modeling  a  computation  entails  taking  its  description  in  this  format  and  constructing  a  new 
description  (also  in  this  format),  whose  parts  may  represent  various  parts  of  the  old  description.  A 
time  model  is  thus  a  representational  transformation  of  computation  graphs.  For  these  chains  of 
transformed  graphs  to  talk  about  the  physical  reality  of  computing,  they  require  a  foundation:  a 
computation  graph  that  explicitly  describes  computation,  rather  than  one  that  is  just  an  image  of 
another  graph.  We  provide  this  foundation  by  transforming  traces  into  ground-level  computation 
graphs? 

Section  4.1  develops  this  computation  graph  representation.  Section  4.2  translates  system 
traces  to  ground-level  graphs.  Section  4.3  then  presents  the  notion  of  a  time  model  as  a  particular 
way  of  transforming  (and  presumably  abstracting)  sets  of  computation  graphs. 


4.1.  Computation  Graphs 

4.1.1.  A  Definition 


Abstractly,  a  computation  is  some  set  of  discrete  events  that  happen  in  some  particular  order.  (In 
this  paper,  we  assume  that  this  set  is  always  finite.) 


’  Strictly  speaking,  this  temporal  relation  may  not  always  be  an  order. 

^As  we  observed  in  Section  1,1,  the  choice  of  what  constitutes  ground-level  is  somewhat  arbitrary.  In  this  paper, 
ground-level  graphs  come  from  traces;  other  uses  of  this  theory  might  require  other  foundations. 
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We  express  this  abstraction  as  a  computation  graph:  a  labeled  directed  graph  representing  a 
computation.^  The  graph  consists  of  directed  edges  and  labeled  nodes.  Each  node  is  an  event — a 
distinct  “thing  that  happens.”  The  label  describes  the  event.  We  distinguish  between  events  and 
event  labels  in  order  to  allow  repeated  occurrences  of  the  same  type  of  event. 

The  edges  have  two  roles:  to  indicate  the  temporal  relation  of  events,  and  to  indicate  the 
transition  from  one  event  to  another.  The  role  an  edge  plays  will  be  clear  from  the  construction  of 
a  graph. 


4.1.2.  Notation 

The  atoms  of  a  graph  are  its  nodes  (with  labels)  its  edges.  Where  convenient,  we  will  regard  a 
graph  as  the  set  of  its  atoms:  x  6  a  refers  to  an  atom  x  from  graph  a.  Lx)wer-case  Greek  letters 
denote  computation  graphs.  Upper-case  Roman  letters  from  the  beginning  of  the  alphabet  denote 
specific  nodes,  and  lower-case  Roman  letters  starting  with  x  denote  specific  atoms.  Variations  on 
the  notation  Q  will  denote  special  sets  of  computation  graphs — e.g.,  the  graphs  obtained  in  some 
particular  way,  with  event  labels  from  some  specified  set. 

4.1.3.  Subgraphs 

We  obtain  a  subgraph  of  a  computation  graph  in  the  natural  way:  by  pruning  away  some  nodes 
and  edges. 

Definition  4.1  A  subgraph  of  a  computation  graph  a  is  the  graph  obtained  by 
removing  from  a: 

•  a  subset  of  the  nodes 

•  a  subset  of  the  edges,  including  any  edge  incident  to  a  deleted  node 
When  computation  graph  a'  is  a  subgraph  of  computation  graph  q,  we  write 

a'  C  a 


4.1.4.  Identity  and  Isomorphism 

We  introduce  terminology  to  describe  when  two  computation  graphs  completely  match: 


^Labeled  graphs  are  essentially  identical  to  ordered  multisets,  which  surface  in  the  literature  (such  as  Pratt’s  work 
on  partial  order  time  [Pr86]).  However,  we  feel  the  former  representation  is  more  amenable  to  computer  scientists. 
Further,  using  graphs  rather  than  pomsets  grants  us  the  liberty  to  use  more  general  temporal  relations. 
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Definition  4.2  l\vo  computation  graphs  ci\  and  02  are  identical 


ai  =  02 


when  they  match:  when  a  bijection  exists  giving  an  exact  matching  of  nodes  and  edges. 


Since  nodes  in  computation  graphs  have  labels  (by  definition),  for  two  nodes  to  match,  they  must 
possess  the  same  label.  The  standard  graph-theoretic  notion  of  isomorphism  ignores  labels  and 
consequendy  gives  a  weaker  correspondence: 

Definition  4.3  Two  computation  graphs  a\  and  02  are  isomorphic 

ai  =  02 


when  they  are  identical,  except  for  the  node  labeling.  That  is,  we  can  relabel  the  nodes 
in  oi  to  obtain  a  graph  a'l  satisfying  o'l  =  02. 


Both  identity  and  isomorphism  depend  on  the  existence  of  a  bijection  between  two  graphs. 
Having  explicit  access  to  this  bijection  will  be  useful: 

Definition  4.4  A  pairing  between  two  graphs  oi  and  02  is  simply  a  subset  P  of 
oi  X  02.  If  ai  =  Q2  and  pairing  P  enumerates  the  identification,  we  write 

Ql  =p  02 

Similarly,  if  oi  =  02  and  pairing  P  enumerates  the  isomorphism,  we  write 


Oi  =p  02 


The  correspondence  between  two  identical  or  isomorphic  computation  graphs  does  not  neces¬ 
sarily  induce  unique  pairings:  consider  two  copies  of  an  edgeless  graph  consisting  of  two  nodes 
with  the  same  label. 


Identity  and  Isomorphism  on  Subgraphs  Suppose  two  graphs  have  identical  subgraphs: 

0\  D  o'l  =p  a'2  C  02 

Then  the  pairing  P  between  the  subgraphs  extends  to  be  a  pairing  between  graphs.  The  pairing 
not  only  enumerates  the  identification  between  the  subgraphs  but  also  specifies  the  subgraphs. 
Figure  4.1  illustrates  this  relationship. 

This  technique  also  applies  to  isomorphic  subgraphs. 
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Figure  4.1  The  pairing  enumerating  the  identification  between  two  identical  sub¬ 
graphs  also  specifies  the  subgraphs.  Here,  each  a'j  c  a'i,  anda'i  =p  However, 

P  is  a  pairing  not  only  between  the  subgraphs  aU  but  is  also  a  pairing  between  the 
graphs  a,.  Given  oi  and  q2  and  P,  we  can  figure  out  that  the  a,  subgraphs  are 
identical. 

4.2.  Ground-Level  Computation  Graphs 

Currently  we  describe  real  physical  computation  via  traces.  Our  time  models  will  provide  the 
means  for  more  abstract  descriptions.  In  order  to  have  closure  on  composition,  time  models  will 
operate  on  computation  graphs.  Thus,  in  order  for  time  models  to  apply  to  real  computations,  we 
need  to  lift  traces  into  this  computation  graph  format. 

We  want  to  perform  this  action  with  a  minimum  of  abstraction,  since  abstraction  is  the  duty  of 
models.  This  lifting  is  just  some  sleight  of  hand  so  that  models  can  talk  about  the  real  world. 


4.2.1 .  Turning  Traces  into  Graphs 

Since  we  will  perform  abstractions  on  computation  graphs,  we  need  to  make  sure  that  the 
ground-level  graph  for  a  trace  contains  everything  of  interest  in  the  trace.  Consider  the  trace 
T  =  ((^0, with5,  =  (c,i,c,2,...,ci„).  This  trace  expresses  a  handful  of  interesting 
things  about  the  underlying  computation; 

•  At  time  the  jth  process  is  in  configuration  c,  j. 

•  Either  this  configuration  persists  through  t,+i,  or  there  exists  exactly  one  time  w,  in  the  open 
interval  (^,  ^,+i )  at  which  this  process  changes  configurations.  This  change  must  have  one 
of  the  following  forms: 

-  the  process  undergoes  a  send,  receive,  or  compute  transition  (from  Axiom  2.1). 

-  a  message  departs  from  the  send  queue  of  this  process 

-  a  message  arrives  at  the  receive  queue  of  this  process 

But  the  exact  value  of  u,  is  not  known. 

•  If  the  trace  indicates  that  two  different  processes  each  undergo  a  configuration  change  in  the 
interval  (i,,  ti+i),  the  changes  occurred  at  the  same  instant.  (This  follows  from  the  definition 
of  trace:  otherwise  the  observer  would  have  taken  an  intermediate  photograph.) 
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We  construct  the  ground- level  computation  graph  of  T  by,  for  each  process,  creating  a  node  for 
each  of  these  interesting  actions.  (Thus,  each  of  these  actions  becomes  an  “event.”)  We  then  draw 
edges  to  represent  the  basic  transitions  from  action  to  action  at  each  process.  The  basic  transitions 
go  from  photo  to  photo,  if  nothing  happened,  or  from  photo  to  configuration  change  and  from 
configuration  change  to  the  next  photo. 

We  choose  event  labels  from  the  set; 

PROC-NAMES  X  (  {{photo}  y.  CONFIGS  y.  non-negative  reals) 

U  ( {send,  receive,  depart,  arrive }  x  MESSAGES) 

U  {compute}  ) 

This  set  just  follows  the  above  schema.  Each  label  is  a  pair  containing  a  process  name,  and  a 
description  of  the  event;  a  timestamped  photograph  or  a  configuration  transition. 


4.2.2.  Computations  and  Ground-Level  Graphs 

Physical  computation  takes  place  in  space  and  time.  The  computation  that  trace  T  represents  takes 
place  in  the  space-time  region  PROC-NAMES  x  [to,  4]  (the  cross-product  of  a  discrete  set  with 
a  closed  interval  of  the  reals).  The  ground-level  graph  for  T  has  two  important  properties  relating 
to  this  region. 

•  Each  atom  of  the  ground-level  graph  of  T  naturally  represents  some  part  of  the  underlying 
region. 

-  Event  {p,  {photo,  c,  <,))  represents  the  instant  {p,  ti)  of  the  photo. 

-  A  configuration  change  event  {p,foo)  (between  the  and  f,+i  photos)  represents  the 
instant  of  transition  foo:  the  point  {p,  u)  for  the  [unknown]  instant  u  in  the  open  interval 
{ti,  ti+i)  when  the  change  occurred. 

-  Edges  represent  the  transitions  between  consecutive  events  at  the  same  process.  We 
induce  the  region  this  edge  represents  from  the  regions  the  events  represent:  the  edge 
from  the  {p,  t)  node  to  the  (p,  u)  node  represents  the  region  (p,  (<,  u)). 

•  The  regions  represented  by  the  atoms  in  the  graph  of  T  form  a  partition  of  the  region 
represented  by  T. 

Every  instant  at  every  process  in  a  computation  that  trace  T  describes  corresponds  to  exactly  one 
atom  in  the  ground-level  computation  graph.  Every  atom  in  the  ground-level  computation  graph 
represents  a  disjoint  set  of  these  instants.  Figure  4.2  sketches  an  example  of  these  properties. 


4.2.3.  No  Abstraction 

We  reiterate  that  the  ground-level  computation  graph  of  T  is  merely  a  graph  version  of  the  trace  T, 
expanded  to  include  the  (inferred)  configuration  transitions.  The  graph  contains  no  explicit  ordering 
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real  time  - ► 

Figure  4.2  A  ground-level  computation  graph  represents  computational 
space-time.  Each  atom  in  the  ground-level  graph  q  represents  activity  at  process 
p  or  9  at  some  point  or  interval  of  real  time. 
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information  that  was  not  already  present  in  the  trace.  The  graph  also  contains  information — such 
as  the  times  of  the  photos,  and  even  the  existence  of  the  photos — not  available  to  the  processes. 

The  graph  version  of  a  trace  merely  expresses  the  trace  in  graph  format.  Any  higher  abstraction 
(such  as  imposing  orders  or  pruning  away  uninteresting  actions)  is  the  job  of  a  time  model. 


4.3.  Time  Models 


Formally,  a  time  model  is  a  particular  way  of  transforming  one  set  of  computation  graphs  into 
another  set,  presumably  more  abstract.  Concomitant  with  this  transformation  is  a  notion  of  repre¬ 
sentation;  an  atom  in  the  transformed  graph  may  represent  a  set  of  atoms  in  the  original  graph.  Time 
models  usually  depart  from  physical  reality  in  order  to  better  express  some  underlying  conceptual 
structure. 


4.3.1 .  Events  and  Temporal  Relations 

Events  As  we  saw  in  Section  4. 1 ,  building  computation  graphs  requires  bundling  process  activity 
into  discrete  packages  called  events.  We  identify  events,  the  basic  “things  that  happen,”  with  their 
nodes.  Events  are  atomic  in  the  sense  that  they  provide  the  fundamental  level  of  granularity  in  the 
computation  graph:  in  this  graph,  one  cannot  talk  about  anything  finer.  The  label  on  an  event  should 
describe  that  event  in  sufficient  detail  for  the  level  of  abstraction  in  this  graph — for  example,  if  a 
graph  represents  what  a  process  perceives  about  a  computation,  the  labels  should  make  no  reference 
to  things  that  process  cannot  observe,  such  as  real  time. 


Temporal  Relations  In  the  ground- level  computation  graphs  from  Section  4.2,  edges  represent 
transitions  between  events.  In  more  general  graphs,  the  edges  will  represent  a  temporal  relation 
on  events — the  “order”  in  which  they  happen. 

A  temporal  relation  is  a  binary  precedes  relation  on  a  collection  of  elements  (which,  in  this 
paper,  will  be  events).  We  write  A  — >  B  to  indicate  that  event  A  precedes  event  B  in  this  relation. 
We  also  use  some  variations: 

•  A  =1  B  when  A  — >  Bor  A  =  B 

•  A  -/->  B  when  A  does  not  precede  B 

•  A  < — *  B  when  A  — >  B  and  B  — >  A 

•  A  ^=1?  B  when  A  < — >  B  or  A  =  B 

•  A  B  when  neither  A  — >  B  nor  B  — y  A 
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A  relation  is  transitive  when  (for  any  events  A,  B,  C)  if  A  — ►  B  and  B  — >  C  then  A  — ►  C. 
A  relation  is  antisymmetric  when  A  — »  B  and  B  — ►  A  cannot  both  hold  for  A  ^  B.  A  relation 
is  irreflexive  when  no  A  — *  A.  A  partial  order  is  a  relation  that  transitive,  antisyinmetric,  and 
irreflexive;  a  total  order  is  a  partial  order  that  is  complete:  for  any  A  7'  B  either  A  — ►  B  or 
B-^A. 

We  introduce  a  new  term;  a  linear  time  order  is  a  partial  order  where  concurrency  is  an 
equivalence  relation  whose  equivalence  classes  induce  a  total  order.  In  a  linear  time  order,  we  can 
assign  each  event  A  a  real  number  T(A),  such  that  T{A)  <  T{B)  iff  A  — B,  for  distinct  A,  B. 
(A  linear  time  order  is  just  a  total  order  that  allows  for  simultaneous  events.) 


4.3.2.  Representation 

From  Graph  to  Graph  Events  represent  discrete  units  of  computation.  In  the  physical  system, 
computation  takes  place  in  space  and  time.  Expressing  computation  as  traces  imposes  a  granularity 
on  perception:  things  happen  at  processes  (the  space  coordinates),  and  time  values  from  the  trace 
must  delimit  the  time  periods  (the  time  coordinates).  The  graph  version  of  a  trace  constructs 
events  and  edges  by  packaging  portions  of  the  space-time  computation  region  as  single  atoms.  As 
Section  4.2.2  observes,  this  packaging  has  some  convenient  properties:  each  atom  represents  a 
disjoint  subregion,  and  together  these  subregions  constitute  a  partition  of  the  full  region. 

Constructing  a  computation  graph  j3  to  model  another  computation  graph  a  should  proceed 
in  the  same  fashion.  Each  atom  in  /?  may  represent  some  portion  of  the  computation  region  that 
a  expresses.  (A  ghost  atom  is  one  that  represents  nothing.)  However,  this  region  is  no  longer 
space-time,  but  rather  is  the  graph  a.  As  with  traces,  the  structure  of  the  region  forces  a  granularity 
on  the  perceivable  subregions:  they  must  be  composed  of  subsets  of  atoms  of  a. 

We  could  express  this  representation  in  a  number  of  ways  (regarding  a  graph  as  the  set  of  its 
atoms): 


•  as  a  relation  between  q  and  0 

•  as  a  partial  function  from  o  to  /? 

•  as  a  function  from  avoV{0) 

•  as  a  function  from  ^  ioV{q) 

The  first  approach  makes  composition  of  models  awkward;  the  second  forces  each  atom  in 
a  to  have  at  most  one  representative  in  13  (a  restriction  which  we  suspect  may  cause  problems 
eventually);  the  third  makes  it  difficult  to  talk  about  the  multiple  atoms  a  single  atom  might 
represent. 

We  conclude  that  the  fourth  approach  is  the  cleanest  and  the  most  flexible.  It  most  closely 
follows  the  principle  that  each  atom  in  ^  represents  some  set  of  atoms  in  o.  It  also  allows  us  to 
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express  easily  properties  such  as  “each  a  atom  has  at  most  one  representative  in  /9”  and  “/?  may 
have  no  ghost  nodes.”  Such  a  function  naturally  extends  to  act  on  sets  of  atoms:  apply  the  function 
to  the  individual  elements  in  the  set  and  take  the  union  of  the  results. 


Terminology  Suppose  graph  ^  represents  graph  a.  A  representation  map  is  a  function  taking 
each  atom  of  to  a  set  of  atoms  of  a.  (As  we  will  see  in  the  next  section,  representation  maps  will 
accompany  model  applications.) 

Since  we’re  talking  about  representation,  we’ll  adopt  a  democratic  model  for  terminology.  Let 
X  be  an  atom  of  0,y  an  atom  of  a,  and  R  a  representation  map  from  0  to  a.  Then  we  say: 


•  X  is  a  representative  of  t/  (if  y  €  R{x)) 

•  i?(x)  is  the  constituency  of  x 

•  y  is  a  constituent  of  x  (if  y  €  /2(x)) 


However,  we  allow  for  general,  Chicago-style  democracy: 


•  Some  representatives  may  have  overlapping  constituencies. 

•  Some  representatives  may  have  empty  constituencies. 

•  The  collection  of  constituencies  might  not  cover  the  entire  populace. 


4.3.3.  Models 

A  Formal  Definition  We  put  the  elements  of  Section  4.3. 1  and  Section  4.3.2  together  to  produce 
a  formal  definition  of  a  time  model:  a  uniform  way  to  build  a  computation  graph  whose  pieces 
explicitly  represent  pieces  of  another  computation  graph. 

Definition  4.5  A  time  model  is  a  partial  function  M  taking  computation  graphs  to 
computation  graphs,  such  that  (if  M  is  defined  on  graph  q)  the  application  q  • — >  M(a) 
induces  a  representation  map  from  M(q)  back  to  a.  We  write 

(M,  a) 


to  indicate  this  representation  map. 


Figure  4.3  illustrates  the  action  of  a  time  model  and  its  representation  map. 
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Figure  4.3  Model  M  transforms  computation  graph  a  to  computation  graph  M(a). 
The  representation  map  ( M ,  a )  takes  each  atom  of  M(a)  back  to  the  set  of  atoms 
in  a  it  represents.  The  bold  arrow  Indicates  the  action  of  M;  the  dashed  arrows 
indicate  the  action  of  ( M,  a). 


Conventions  Models  are  partial  functions,  so  the  domain  of  a  model  is  the  set  V  of  graphs  for 
which  it  is  defined. 


When  0  is  understood  to  be  a  particular  computation  graph  that  model  M  generates  from  graph 
a,  we  write 


A  — >  B  in  M 


to  indicate  that  event  A  precedes  ev^nt  .0  in  ^  (and,  implicitly,  that  events  A  and  B  appear  in  0). 
(In  some  situations,  we  will  want  to  emphasize  the  model,  not  the  particular  graph  names.  This 
shorthand  makes  such  emphasis  possible.) 


A  time  model  M  naturally  induces  transformations  of  graph  sets  that  its  domain  contains: 
M(^)  is  the  set  consisting  of  the  transformed  graphs  {M(a) :  a  eQ}. 


Composition  and  inversion  Simple  manipulations  of  functions  apply  to  models  too — the 
only  trick  is  handling  the  representation  maps.  For  example,  composing  models  yields  a  model. 

Definition  4.6  Suppose  model  Mi  (with  domain  V\)  and  model  M2  (with  domain 
V2)  satisfy 

Mi(D,)  C  V2 

Then  their  composition  M2  o  Mi  is  the  model  on  domain  X>i  taking  a  to  M2(Mi  («))> 
with 


(M2oMi,a)  =  (Ml,  q)  0  (M2,  Mi(q)) 
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(MjoMj.a) 


Figure  4.4  To  obtain  /3  =  (M2  oMi)(a),  we  transform  a  according  to  Mi,  and  then 
transform  the  result  according  to  M2.  To  figure  out  what  an  atom  of  13  represents  in 
a,  we  obtain  the  set  of  atoms  it  represents  in  Mi  (a),  and  then  figure  out  what  each 
of  these  represents  in  a.  Solid  arrows  indicate  the  action  of  Mi  and  M2;  the  bold 
solid  arrow  indicates  the  action  of  M2  oMi.  Dashed  arrows  indicate  the  action  of  the 
representation  maps  { Mi ,  a)  and  { M2,  Mi  (a) );  the  bold  dashed  arrow  indicates 
the  action  of  the  representation  map  ( M2  o  Mi,  a). 
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Figure  4.4  illustrates  composition  of  models. 

We  can  also  talk  about  the  inverse  image  of  graphs  (relative  to  a  given  model  and  class).  If  a 
is  a  graph  from  M(^)  where  Q  is  understood,  then  M~*(o)  is  the  set 

{^eg  :  = 

A  Simple  Example  The  computation  that  a  trace  T  expresses  has  a  natural  synchronized 
structure.  But  the  ground-level  computation  graph  of  T  not  only  fails  to  express  this  structure — ^it 
also  includes  items  from  the  trace  (the  photographs)  and  items  induced  from  the  trace  (arrive  and 
depart  nodes)  that  one  ordinarily  would  not  regard  as  genuine  events  in  the  computation.  We 
now  introduce  a  simple  time  model  that  abstracts  ground-level  graphs  to  graphs  that  more  cleanly 
represent  the  computational  activity. 

Definition  4.7  The  model  LINEAR  takes  ground-level  graph  a  to  the  graph  ^  built 
as  follows.  Let  o  be  the  graph  of  trace  T  =  ((<o,  ^o).  •••»  ih,  «*))• 

Nodes  For  each  process  p: 

•  Create  a  node  ±  in  ^  for  the  node  (p, photo,  to)  in  a. 

•  Create  a  node  T  in  for  the  node  (p, photo,  4)  in  q. 

•  Node  (p, photo, ti)  leads  to  node  (p,photo,ti^\)  in  a,  possibly  through  an 
intermediate  node  A,.  Examine  this  transition: 

-  If  the  intermediate  node  Ai  exists  and  is  a  send,  receive  or  compute,  then 
create  a  copy  of  this  node  (minus  the  p  name)  in 

-  Otherwise,  nothing  interesting  happened,  so  create  a  node  idle  in 

Edges  Thus,  there  exists  a  node  in  ^  for  time  to  at  each  process,  for  time  4  at  each 
process,  and  for  the  transition  from  t,  to  at  each  process.  Draw  an  edge  from 
node  A  to  node  B  in  0 — not  necessarily  from  the  same  process — whenever  any 
of  the  following  hold: 

•  A  represents  the  transition  from  ti  to  U+i,  and  B  represents  the  transition 
from  to  ti+2 

•  A  represents  and  B  represents  the  transition  from  to  to  ti. 

•  A  represents  the  transition  from  tk-i  to  tk,  and  B  represents  tk 

•  A  represents  to  and  B  represents  <i,  in  the  degenerate  case  when  k  =  1. 

The  representation  map  formalizes  this  natural  representation.  ( LINEAR,  a )  takes 
each  mn-idle  node  in  ^  to  the  corresponding  node  in  a,  and  the  idle  nodes  in  ^  to  the 
atoms  lying  between  the  corresponding  pair  of  photo  nodes.  The  edges  in  /?  between 
sequential  nodes  at  the  same  process  represent  the  internal  atoms  in  the  paths  between 
the  nodes  they  represent;  the  cross-process  edges  are  ghosts. 

Figure  4.5  shows  the  application  of  LINEAR  to  a  simple  trace  graph. 
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Figure  4.5  We  obtain  0  by  applying  LINEAR  to  the  simple  ground-level  compu¬ 
tation  graph  a.  Dashed  lines  connect  each  atom  in  0  to  the  atoms  it  maps  to  under 
(LINEAR,  oc). 


The  LINEAR  model  derives  its  name  from  the  fact  that  it  expresses  the  basic  steps  in  the  natural 
linear  time  order  on  computations.  Fully  expressing  the  linear  time  order  requires  one  more  tool 
(which  Section  5.1  will  provide). 
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(Part  li) 


Chapter  5 

Properties  and  Operators 


This  chapter  presents  machinery  to  talk  about  some  properties  of  computation  graphs  and  time 
models.  We  develop  this  machinery  both  by  considering  the  actual  properties — of  graphs,  of  sets 
of  graphs,  and  of  models  that  produce  such  graphs — and  also  by  considering  operators  on  graphs 
that  ensure  that  some  given  property  holds.  (Conveniently,  such  operators  take  a  familiar  form: 
time  models.)  Section  5.1,  Section  5.2  and  Section  5.3  consider  some  special  issues  arising  from 
relations.  Section  5.4  and  Section  5.5  consider  the  generation  and  representation  issues  arising 
from  model  applications.  Finally,  Section  5.6  considers  the  issues  involved  in  merging  computation 
graphs  and  merging  the  models  that  produce  them. 


5.1 .  Transitivity 


The  computation  graphs  that  we’ve  seen  so  far  (ground-level  graphs  and  their  LINEAR  images) 
express  events  and  transitions  between  events.  However,  usually  we  think  of  temporal  relations  as 
being  transitive:  if  event  A  happens  before  event  B,  and  event  B  happens  before  event  C,  then 
event  A  happens  before  event  C. 


Defining  Transitive  Ciosure  Hence,  we  say  that  a  computation  graph  a  is  transitive  if  its 
relation  is  transitive:  an  edge  exists  from  Ato  B  whenever  B  is  reachable  from  A.  We  obtain  the 
transitive  closure  a  of  a  graph  a  by  adding  an  edge  from  A\o  B  whenever  a  path  but  no  edge 
exists  between  them. 

A  model  is  transitive  when  it  produces  only  transitive  computation  graphs.  Taking  the  transitive 
closure  of  a  model  seems  a  natural  operation,  but  the  representational  aspect  of  models  makes  this 
operation  somewhat  non-trivial.  Suppose  model  M  acts  on  graph  a.  Clearly  we  want  the  transitive 
closure  of  M  to  produce  a  transitive  version  of  M(o).  Unless  M(q)  already  is  transitive,  we  will 
need  to  add  edges.  Which  edges  should  we  add?  What  should  these  edges  represent? 
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In  this  paper,  we  choose  the  simplest  approach:*  simply  take  the  transitive  closure  of  each  graph 
that  M  produces,  and  let  any  new  edges  be  ghosts.  Here  we  begin  to  see  some  of  the  expressiveness 
of  time  models:  the  transitive  closure  operator  is  itself  a  time  model  that  copies  a  graph  and  adds 
edges.  We  call  this  model  TRANS,  and  use  the  shorthand: 

M  =  TRANS  oM 


Using  Transitive  CiOSure  As  we  have  mentioned,  usually  we  think  of  temporal  relations  as 
transitive.  However,  these  relations  usually  arise  by  first  considering  some  “basic”  transitions  on 
events.  Having  an  explicit  transitive  closure  operator  allows  us  to  follow  this  technique  when 
building  models. 

For  example,  the  transitive  closure  LINEAR  expresses  the  full  linear  time  ordering  of  process 
actions  induced  by  real  time. 

Asking  about  precedence  in  graph  M(a)  is  equivalent  to  asking  about  paths  in  M(a).  (Having 
the  flexibility  to  talk  about  both  the  “full”  version  and  the  “single-step”  version  of  a  time  model 
will  be  useful  in  subsequent  papers  when  we  consider  knowability  issues.) 


5.2.  Bounds 


Is  there  a  well-defined  “earliest”  or  “latest”  event  in  a  computation?  In  this  section,  we  define  what 
this  means  and  present  an  operator  to  force  models  that  produce  extremal  events  to  produce  unique 
extremal  events. 


The  Property  An  event  is  minimal  in  a  graph  if  no  event  precedes  it.  Similarly,  an  event  is 
maximal  if  no  event  succeeds  it. 

A  computation  graph  a  is  bounded  when  it  contains  a  unique  minimum  that  precedes  all  other 
events  in  a,  and  a  unique  maximum  that  follows  all  other  events  in  q.  When  a  graph  is  bounded, 
the  unique  extrema  are  its  bounding  nodes. 


'  Another  approach  would  be  to  add  an  edge  for  each  nontrivial  path  from  event  A  to  event  B.  The  new  edge  would 
represent  the  internal  atoms  in  this  path.  This  alternative  approach  allows  us  to  reach  through  some  precedence 
assertion  to  the  individual  steps  that  cause  it  to  hold.  This  ability  might  be  useful;  for  example,  it  makes  it  easier  to 
state  one  of  our  preliminary  security  results  [Sm91];  an  honest  process  (using  a  certain  clock  implementation)  will 

always  detect  the  presence  of  an  edge,  if  the  events  that  edge  represents  occur  only  at  honest  processes.  _ 

Should  we  eventually  be  interested  in  the  more  complicated  form  of  closure,  we  could  insert  that  between  M  and 
M  by  first  defining  TRANS  i  (which  adds  representative  edges  for  each  nontrivial  path)  and  then  TRANS2  (which 
replaces  all  edges  from  A  to  fl  by  a  single  representative  ghost  edge).  Then  we  would  re-define  TRANS  as  the 
composition  TRANS2  o  TRANSi. 
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A  model  M  is  bounded  when  it  produces  only  bounded  graphs. 

A  graph  a  is  transitively  bounded  when  q  is  bounded;  a  model  M  is  transitively  bounded  when 
M  is  bounded. 


An  Operator  Suppose  model  M  produces  graphs  whose  transitive  closure  contains  minima  and 
maxima.  One  way  to  insure  that  M  is  transitively  bounded  is  to  collapse  the  extrema  into  single 
events. 

Definition  5.1  The  model  EXTREMA  takes  a  graph  a  to  the  graph  13  as  follows: 

Nodes  Partition  the  nodes  of  the  transitive  closure  a  into  three  sets:  containing 

the  minima,  Sj  containing  the  maxima,  and  5^^  the  remaining  nodes.  The 
nodes  of  /3  consist  of  one  copy  of  each  node  in  S  plus  a  new  node  labeled  J- 
if  is  nonempty,  plus  a  new  node  labeled  T  if  is  nonempty. 

Edges  The  node  construction  induces  a  natural  surjection  F  from  nodes  in  a  to  nodes 
in  13.  Use  this  surjection  to  draw  edges:  if  an  edge  exists  from  A  to  B  in  o,  then 
draw  one  from  F{A)  to  F{B)  in  /3.  (Thus  F  extends  to  a  surjection  F'  from 
atoms  to  atoms.) 

The  representation  map  ( EXTREMA,  a )  is  the  inverse  of  the  surjection  F'. 

Applying  EXTREMA  to  a  model  does  not  necessarily  yield  a  transitively  bounded  model.  For 
an  easy  counterexample,  suppose  model  M  produces  graphs  that  are  simple  cycles.  Since  M 
produces  no  minima  or  maxima,  we  have 

EXTREMA  oM  =  M 


and  thus  M  is  not  bounded. 


5.3.  Cycles 

Given  a  directed  graph,  a  natural  question  is  to  ask  whether  it  contains  any  cycles.  This  question 
applies  to  our  work,  since  time  models  produce  computational  graphs. 

Hence,  we  say  that  a  node  A  in  graph  a  is  acyclic  when  no  cycle  in  a  contains  it.  We  say  that 
graph  Q  is  acyclic  when  it  contains  no  cycles.  Finally,  we  say  that  a  model  M  is  acyclic  when  it 
produces  only  acyclic  graphs. 

Conversely,  a  node  A  is  cyclic  if  it  is  contained  in  a  cycle;  a  graph  a  is  cyclic  if  it  contains  a 
cycle. 
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5.4.  Generators 


On  a  basic  level,  we  might  regard  possible  system  behavior — what  the  system  does  in  a  given  set 
of  circumstances — as  a  set  of  possible  system  traces.  Our  time  theory  allow  us  to  regard  possible 
system  behavior  instead  as  a  set  of  possible  computation  graphs.  However,  this  set  of  graphs 
cannot  stand  alone  as  a  descriptive  entity;  we  need  to  specify  how  this  particular  set  originates  in 
the  ground-level  graphs. 

This  specification  consists  of  two  things:  a  model  M  and  a  graph  set  S2  such  that  Qi  =  M(^2)- 
We  say  that  such  a  model  is  a  generator  of  set  $1.  If  Q2  consists  of  ground-level  computation 
graphs,  then  M  is  a  grounding  generator  of  Qii  each  graph  in  G\  is  grounded  in  physical  reality.  If 
M  produces  no  ghost  events  in  ^1,  then  it  is  a  concrete  generator  of  Gi  -  each  event  in  a  G\  graph 
has  concrete  meaning  in  its  G2  pre-image. 

Some  interesting  scenarios  will  develop  when  a  set  of  models  induces  multiple  grounding 
generators  for  a  single  graph  set.  For  example,  the  graph  /?  in  Figure  1.7  might  arise  from  failure- 
free  execution  or  from  a  faulty  execution  simulating  (through  rollback)  a  failure-free  execution. 
Subsequent  papers  will  present  a  more  thorough  exploration  of  this  topic. 


5.5.  Disjoint  and  Compiete  Models 

Suppose  computation  graph  a  lies  in  the  domain  of  model  M.  The  new  graph  M(a)  represents 
the  original  graph  a.  How  expressive  is  this  representation?  Two  issues  arise  immediately. 

•  Do  the  atoms  in  M(q)  have  unique  meanings? 

•  In  the  M(a)  graph,  can  we  still  talk  about  every  atom  in  a? 

We  introduce  two  terms  to  handle  these  issues.  Model  M  is  disjoint  on  a  if  the  constituencies 
of  the  atoms  in  M(a)  are  disjoint  (that  is,  no  atom  of  a  has  multiple  representatives  in  M(a)). 
Model  M  is  complete  on  a  if  the  constituencies  of  M(q)  completely  cover  a  (that  is,  each  atom  of 
a  has  at  least  one  representative  in  M(a)).  If  M  is  complete  and  disjoint  on  a  and  M(q)  is  free 
of  ghosts,  then  { M,  q  )  partitions  the  atoms  of  a. 

The  model  M  is  itself  disjoint  when  it  is  disjoint  on  every  graph  in  its  domain;  similarly,  the 
model  M  is  complete  when  it  is  complete  on  every  graph  in  its  domain. 

Suppose  graph  a  lies  in  the  domain  of  model  M.  If  M  is  complete,  every  atom  in  a  is 
represented  in  M(q:).  We  can  use  M(a)  to  talk  about  every  atom  of  a  (although  we  may  not  be 
able  to  distinguish  some  atoms).  If  M  is  disjoint,  every  atom  from  a  that  is  represented  in  M(q;) 
is  represented  uniquely.  We  may  not  be  able  to  talk  about  every  part  of  the  original  graph  a,  but 
we  can  distinguish  everything  we  can  talk  about. 

Every  model  we  consider  in  this  paper  will  be  disjoint. 
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5.6.  Merging  Graphs  and  Models 


Suppose  computation  graph  a  lies  in  the  domain  of  two  models  Mi  and  M2.  We  have  two  different 
abstractions  of  a:  the  graphs  =  Mi  (a)  and  ^  —  M2(o().  (Pertiaps  each  yS,-  isolates  and  abstracts 
some  particular  aspect  of  o). 

How  can  we  merge  A  and  A  to  obtain  a  single,  more  complete  abstraction  of  a?  How  can  we 
merge  Mi  and  M2  into  a  model  that  always  produces  this  more  complete  abstraction? 


5.6.1.  Merging  Graphs 

Suppose  we  are  given  two  computation  graphs  ai  and  0-2,  and  we  we  want  to  construct  a  graph  that 
retains  all  the  information  in  both.  The  semantics  of  computation  graphs  make  this  task  tricky:  a 
graph  may  have  multiple  nodes  with  the  same  label.  Suppose  qi  and  02  each  have  a  node  labeled 
A.  Should  we  merge  these  nodes  or  keep  them  separate?  What  if  ai  and  02  instead  have  identical 
subgraphs  a',  a  bit  more  complicated  than  the  singleton  A7  If  oj  and  02  have  multiple  pairs  of 
identical  subgraphs,  which  pair  should  we  meige? 

To  rectify  this  confusion,  we  need  to  explicitly  the  pairs  of  atoms  we  will  identify  (that  is,  the 
pairs  of  atoms  that  will  take  on  the  same  identity  in  the  merged  graph).  Section  4.1.4  gives  us  the 
necessary  tools. 

Definition  5.2  Suppose  computation  graph  oi  has  subgraph  a'l ,  computation  graph 

02  has  a'2,  and  o!\  =p  o' 2  We  obtain  the  union  with  respect  to  P 

Ql  Up  02 

by  joining  the  two  graphs  Oi  and  merging  the  two  atoms  in  each  pair  in  P. 

Of  course  a  quick  and  dirty  solution  to  the  problem  of  merging  graphs  is  to  take  the  disjoint 
union;  deliberately  keep  all  nodes  and  edges  separate,  and  obtain  a  disconnected  graph  with  two 
components  oi  and  02.  This  is  just  taking  the  union  with  respect  to  the  empty  pairing. 

Figure  5.1  illustrates  the  two  forms  of  graph  union. 


5.6.2.  Merging  Models 

Suppose  Ml  and  M2  share  domain  V.  Merging  these  models  by  merging  the  graphs  they  produce 
requires  specifying  which  atoms  in  these  graphs  will  be  identified.  Hence,  for  each  a  6  I>,  we 
need  to  exhibit  a  pairing  P  between  the  M,  (a).  However,  not  just  any  pairing  will  do,  since  the 
atoms  in  a  transformed  graph  represent  atoms  in  the  original  graph.  The  pairing  must  respect  this 
representation. 
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Figure  5.1  Suppose  two  computation  graphs  oi  and  02  have  identical  subgraphs 
(a'l  and  Q  2,  respectively),  matched  by  pairing  P  (left).  We  obtain  the  union  oiUpQ2 
by  merging  the  a',  according  to  the  pairing  P  (top  right);  we  obtain  the  disjoint  union 
aiUea2  by  keeping  both  graphs  separate  and  disconnected  (bottom  right). 
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The  possible  presence  of  ghosts  makes  constructing  this  list  slightly  nontrivial.  Should  two 
ghost  nodes  with  the  same  label  be  considered  the  same?  What  about  two  ghost  edges? 

In  this  paper,  we  take  the  most  straightforward  approach  to  this  dilemma — ^we  keep  ghost  nodes 
distinct  but  we  meige  ghost  edges  that  obviously  coincide. 

Let  Ml  and  M2  share  domain  V,  and  let  a  be  a  graph  from  V.  Let  Oj  be  the  image  M,(q). 
Suppose  node  Ai  in  ai  and  node  A2  in  02  have  the  same  label  and  represent  the  same  (nonempty) 
part  of  a  : 

{Mua){Ai)  =  (M2,  a)(/l2)  ^  0 
Then  clearly  we  should  regard  A\  and  A2  as  the  same  node  in  the  merged  graph. 

For  preserving  edges,  we  drop  the  prohibition  against  ghosts,  but  add  another  rule;  the  endpoints 
must  be  common.  If  edge  Ei  connects  node  A;  to  node  Bi  in  graph  a^,  node  A\  is  identified  with 
node  A2,  node  Bi  is  identified  with  node  B2,  and  ( Mi ,  a){Ei)  =  { M2 ,  o ) ( ^2 )  then  we  identify 
these  edges. 

Definition  5.3  For  models  Mi  and  M2  and  graph  a  in  the  domain  of  both,  let 
COMM(Mi,M2,Q!)  denote  the  pairing  between  Mi  (a)  and  M2(a)  constructed  as 
above. 

That  is,  COMM(Mi ,  M2,  a)  is  a  list  of  pairs  of  nodes  and  pairs  of  edges.  A  pair  of 
nodes  {Ax,A2)  is  in  the  list  iff  the  Ai  have  the  same  label  and  the  same  non-empty 
constituency;  a  pair  of  edges  {E\ ,  £2)  is  in  the  list  iff  (Ai ,  A2)  and  {Bi ,  B2)  are  in  the 
list  (where  Ei  connects  A,  to  Bi),  and  the  Ei  constituencies  are  equal. 


The  COMM  pairing  behaves  as  desired: 

Proposition  5.4  Let  a  lie  in  the  domain  of  models  Mi  and  M2.  Let  P  be  the 
pairing  COMM(Mi ,  M2,  o)  and  let  0i  =  M,(a).  Then 

1.  The  atoms  of  ^i  occurring  in  the  pairing  P  form  a  subgraph, 

2*  =p  ^'2 

Proof  These  results  follow  directly  from  Definition  5.3,  Definition  4.4  and  Definition  4.1.  □ 
We  can  now  extend  union  to  models: 

Definition  5.5  The  union  of  model  Mi  and  M2  is  the  model  Mi  U  M2  on  the 
intersection  of  their  domains,  with 

(MiUM2)(q:)  =  Mi(o)  UcOMM(M,,M2,a)  M2(o) 
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Since  the  representation  maps  ( Mi ,  a )  and  ( M2,  a )  agree  on  pairs  of  atoms  from 
Ml  (a)  and  M2(a)  that  get  identified,  define  the  representation  map  Mi  U  M2  as 
follows: 


{( Ml ,  a )  on  atoms  firom  Mi(a) 
( M2,  a )  on  atoms  from  M2(a) 


Of  course,  the  quick  and  dirty  approach  to  merging  models  works  as  well: 


Definition  5.6  The  disjoint  union  of  model  Mi  and  M2  is  the  model  MiU«M2  on 
the  intersection  of  their  domains.  MiUaM2  takes  takes  a  to  M,(a)UaM2(a)  with  the 
representation  map 


(MjUoMa,  a) 


( Ml ,  a )  on  atoms  from  Mi (q) 
( M2,  ct )  on  atoms  from  M2(q  ) 


We  extend  these  operations  to  act  on  finite  sets  of  models  in  the  natural  way. 

U{Mi,...,Mfc}  =  M1UM2U...  UM* 

This  operation  is  well-defined: 


Proposition  5.7  The  above  two  unions  on  models  are  associative.  For  models 
Ml,  M2,  M3: 

1.  (Ml  U  M2)  U  M3  =  Ml  U  (M2  U  M3) 

2.  (MiU0M2)UaM3  =  M,Ua(M2U0M3) 

Proof  The  disjoint  union  case  is  trivial.  For  the  other  case,  observe  that  nodes  don’t  go  away.  Let 
Ai  be  from  M;;  if  you  merge  Ax  and  A2  in  (Mi  U  M2),  then  A2  will  still  be  around  in  (M2  U  M3) 
to  merge  with  Ax.  A  similar  argument  works  for  edges.  □ 
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(Part  li) 


Chapter  6 

Developing  a  Family  of  Models 


Section  5. 1  developed  the  LINEAR  model  to  express  the  linear  time  ordering  that  real  time  induces. 
Yet  the  crux  of  the  discussion  in  Chapter  1  is  that  real  time  sequences  are  not  sufficient — so  this 
chapter  uses  the  model  tools  from  Chapter  5  to  formally  develop  an  alternative  model:  partial  order 
time. 

Section  6.1  develops  a  collection  of  timelines:  models  imposing  a  linear  structure  on  events  at  a 
single  process.  Section  6.2  presents  two  models  relating  events  at  different  processes.  Section  6.3 
uses  these  components  and  the  tools  from  Chapter  5  to  assemble  the  partial  order  time  model  POT. 

Figure  6.1  shows  the  compositional  development  of  this  family  of  models. 


6.1.  Within  Processes 


A  ground- level  computation  graph  gives  a  linear  sequence  of  events  for  each  process:  a  start  point, 
a  sequence  of  process  actions,  and  a  stop  point. 

We’ve  already  seen  LINEAR  perform  this  abstraction: 

Definition  6.1  For  each  process  p  G  PROC-NAMES,  define  LINLINEp  to  be 
the  model  that  takes  a  ground-level  graph  (v  and  returns  the  LINEAR(a)  subgraph 
corresponding  to  process  p. 

However,  these  timelines  still  contain  elements  that  we  would  not  normally  consider  part  of  the 
computation:  the  idle  events.  We  introduce  a  model  to  abstract  them  away: 

Definition  6.2  Define  the  model  NONIDLE  to  remove  the  idle  events  from  graphs. 

•  NONIDLE  applies  only  to  graphs  a  whose  idle  nodes  have  in-degree  one  and 
out-degree  one.  (For  example,  LINLINE  graphs  meet  this  criteria.) 

•  Such  a  have  well-defined  maximal  idle  chains.  NONIDLE  copies  the  entire 
graph,  but  replaces  each  maximal  chain  with  a  single  edge. 
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Figure  6.1  The  models  we  discuss  here  fit  into  a  composition  hierarchy.  The 
boxes  indicate  sets  of  computation  graphs;  an  arrow  M  between  two  boxes  indi¬ 
cates  that  model  M  is  a  surjection  from  the  one  set  onto  the  other.  What's  more, 
the  functional  identities  we  illustrate  here  are  also  model  identities — e.g.,  the  model 
LINEAR  equals  the  composition  of  models  SYNC  o  LINLINES. 
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•  The  graph  NONIDLE(a)  consists  thus  of  atoms  from  a  and  new  edges.  The 
atoms  from  o  represent  themselves;  the  new  edges  represent  the  chain  they 
replaced. 

Figure  6.2  illustrates  the  action  of  the  NONIDLE  model. 

We  can  now  define  the  linear  timeline  of  interesting  events.: 

Definition  6.3  For  process  p  €  PROC-NAMES,  let 

TIMELINEp  =  NONIDLE  o  LINLINEp 

We  frequently  want  to  consider  the  set  of  timelines  as  a  whole,  so  we  set  up  some  shorthand: 

Definition  6.4  Define  the  models  LINLINES  and  TIMELINES : 

LINLINES  =  U0{LINLINEp  :  p  G  PROC-NAMES} 

TIMELINES  =  Ua {TIMELINEp  :  p  e  PROC-NAMES) 

6.2.  Across  Processes 

Messages  We  define  a  model  that  captures  a  cross-process  order  induced  by  message  passing: 

Definition  6.5  The  model  MSG  on  ground-level  computation  graph  a  retains  only 
send  and  receive  nodes,  and  draws  a  ghost  edge  from  AioB  only  when  B  is  the  receipt 
of  the  message  sent  at  A. 

Edges  are  ghosts  in  MSG  because  all  we  want  to  know  is  if  a  message  got  through  or  not.  If  we 
were  interested  in  exploring  fault  tolerance  in  message  transmission,  then  perhaps  we  would  want 
to  expand  what  an  edge  represents. 


NONIDLE 


Figure  6.2  The  model  NONIDLE  replaces  maximal 
chains  of  idle  nodes  by  a  representative  edge. 
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Linear  Synchronization  As  an  aside,  we  can  define  a  model  SYNC  that  links  up  equal  length 
straight-line  graphs  by  grouping  each  “column”  of  events  into  an  equivalence  class. 


Definition  6.6  Let  the  model  SYNC  act  on  a  collection  of  equal  length  timelines, 
one  per  process,  by  drawing  a  ghost  edge  from  the  m  node  at  process  P,  to  the  m  -f- 1 
node  at  each  process  Pj  (j  ^  i). 

Whether  SYNC  actually  performs  meaningful  synchronization  depends  on  the  graphs  it  acts  on — 
whether  the  equivalence  classes  can  be  meaningfully  regarded  as  synchronized  units. 

For  example,  SYNC  allows  us  to  give  a  bottom- up  definition  of  LINEAR; 

LINEAR  =  SYNCoLINLINES 


6.3.  Partial  Order  Time 

The  model  LINEAR  induces  the  linear  time  order  LINEAR.  This  only  makes  sense,  as  the  trace 
ordering  follows  real  time.  However,  our  building  blocks  allows  us  to  define  an  alternative: 

Definition  6.7  Define  the  partial  order  time  model  POT: 

POT  =  MSG  U  (EXTREMA  o  TIMELINES) 

Essentially  capturing  Lamport’s  causal  dependency  partial  order,  the  POT  model  is  the  primary 
focus  of  the  remainder  of  this  paper. 
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(Part  II) 

Chapter  7 

Relationships  Between  Models 

The  handful  of  models  presented  so  far  suggest  some  natural  ways  we  can  consider  one  model  to 
be  “part”  of  another.  For  example: 


•  POT(a)  is  always  a  subgraph  of  (EXTREMA  o  LINEAR) (a). 

•  If  two  graphs  ai  and  02  give  the  same  POT  image,  then  they  give  the  same  TIMELINEp 
image. 

•  Indeed,  given  any  graph  generated  by  POT,  we  can  uniquely  identify  the  component  that 
TIMELINEp  generates. 

•  In  a  rough  sense,  POT  almost  appears  to  be  a  model  on  its  TIMELINES  components. 


This  chapter  presents  formal  machinery  to  describe  these  relationships.  Section  7. 1  describes  forms 
of  containment  (the  first  bullet);  Section  7.2  presents  refinement  (the  second  bullet);  and  Section  7.3 
presents  components  (the  third  bullet).  Finally,  Section  7.4  describes  how  a  set  of  components  may 
comprise  a  decomposition  of  a  model,  and  how  we  can  factor  this  decomposition  out  of  the  model 
(the  fourth  bullet). 


7.1.  Containment 


We  want  to  describe  the  relationship  when  the  action  of  one  model  always  includes  the  action  of 
another.  Section  7.1.1  develops  the  containment  relation;  Section  7.1.2  introduces  a  related  tool, 
the  containment  map,  and  Section  7.1.3  sketches  some  uses  of  containment. 
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7.1 .1 .  The  Containment  Relation 


Suppose  two  models  M|  and  M2  share’  the  same  domain  2>.  A  minimum  requirement  for  Mi 
to  be  contained  in  M2  is  that  for  any  a  e  V,  Mi(o')  is  isomorphic.^  However,  once  again  the 
representational  aspect  of  models  complicates  things.  The  atoms  in  Mi  (a)  and  M2(a)  carry 
additional  meaning:  their  constituencies  in  a.  For  Mi  to  be  contained  in  M2,  we  also  require  that 
corresponding  constituencies  also  satisfy  a  containment  relation. 

To  avoid  some  pathological  situations,  we  will  require  uniqueness  of  pairing. 

Definition  7.1  Suppose  models  Mi  and  M2  act  on  the  same  domain  V.  Model  Mi 
is  contained  in  M2,  written 


Ml  c  M2 

when  for  each  a  e  V,  there  exists  a  unique  pairing  P  between  Mi  (a)  and  M2(q:) 
satisfying  these  two  conditions: 

1.  Isomorphism  There  exists  ^  C  M2(o)  such  that 

Mi(a)  ^ 

2.  Constituency  Containment  if  (a’i,x2)  €  Pthen 

(Ml,  a}(xi)  C  (M2,  a)(x2) 

The  symbol  for  containment  ( C )  contains  two  elements,  suggesting  isomorphism  (  =  )  and  sub¬ 
graph  (  C  ).  These  concepts  characterize  containment:  Mi  c  M2  when  each  Mi  graph  is  isomor¬ 
phic  to  a  subgraph  of  the  corresponding  M2  grap^.  (with  representation  behaving  nicely). 


Special  Cases  Suppose  Mi  C  M2,  with  domain  V.  Then  for  each  a  eT>,  Definition  7.1  tells 
us  that  two  graphs — Mi  (a)  and  a  a  subgraph  of  M2(a) — will  satisfy  Condition  1  and  Condition 
2.  However,  each  of  these  conditions  has  a  natural  alternative  that  is  more  restrictive: 

r.  Identity  The  graphs  are  identical. 

2'.  Constituency  Equality  The  constituency  of  each  atom  in  the  M2  subgraph  equals  the  con¬ 
stituency  of  the  corresponding  atom  in  the  Mi  graph. 


'Naturally,  we  can  make  any  pair  of  models  share  the  a  domain  by  replacing  the  individual  domains  with  their 
intersection. 

^We  could  require  identity  instead  of  isomorphism,  but  that  would  lead  to  some  label  awkwardness  in  Chapter  8  when 
we  want  to  merge  indi  .idual  process  graphs  into  a  global  graph.  The  relabeling  that  isomorphism  permits  will  be 
convenient. 
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We  obtain  special  cases  of  containment  by  replacing  the  original  conditions  with  their  stronger 
versions: 

Definition  7.2  Suppose  M,  Mj. 

•  If  Mi  and  M2  also  satisfy  Definition  7.1  with  Condition  1  replaced  by  Condition 
1',  we  say  that  Mi  directly  contains  M2  and  write 

Ml  C  M2 

•  If  Ml  and  M2  also  satisfy  Definition  7.1  with  Condition  2  replaced  by  Condition 
2',  we  say  that  Mi  strongly  contains  M2  and  write 

Ml  C  M2 

Since  the  two  conditions  of  Definition  7.1  are  independent,  we  can  strengthen  both 
simultaneously,  giving  a  third  version: 

•  If  Ml  and  M2  also  satisfy  Definition  7.1  with  Condition  1  replaced  by  Condition 
1'  and  Condition  2  replaced  by  Condition  2',  we  say  that  Mi  strongly  directly 
contains  M2  and  write 


Ml  C  M2 


Each  of  these  relations  is  clearly  transitive. 

Figure  7.1  distinguishes  containment  from  direct  containment;  Figure  7.2  distinguishes  con¬ 
tainment  from  strong  containment. 

Proposition  7.3  For  any  Mi ,  M2, 

1.  Ml  CM2  Ml  CM2 

2.  Ml  CM2  =>  Ml  CM2 

Proof  Condition  1'  implies  Condition  1,  and  Condition  2'  implies  Condition  2.  □ 


7.1 .2.  The  Containment  Map 

It  will  be  useful  to  transform  the  unique  pairing  from  Definition  7.1  into  a  function: 

Definition  7.4  Suppose  Mi  C  M2,  with  shared  domain  V.  For  a  e  D,  let  P  be  the 
unique  pairing  satisfying  Definition  7.1.  Define  the  containment  map  {{ M2,  Mi ,  a)) 
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Figure  7.1  Containment  of  any  form  requires  that  one  model  always  produces 
a  graph  isomorphic  to  a  subgraph  of  what  another  model  produces.  However 
for  direct  containment,  this  isomorphism  is  in  fact  the  identity.  The  left  diagram 
shows  ordinary  containment:  Mi  c  Maithe  right  diagram  shows  direct  containment: 
M,  CM2. 


Figure  7.2  If  Mi  c  M2,  then  the  Mi  representation  on  any  atom  x  yields  a  subset 
of  what  the  M2  representation  yields  on  the  matching  atom  y  (left).  For  strong 
containment  Mi  c  M2,  the  representations  are  equal  (right). 
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to  be  the  bijection  that  P  determines  from  the  M2(o!)  subgraph  back  to  Mi  (a).  That 
is. 


((M2,  Ml,  a)){x2)  =  X,  (xi,X2)  6  P 

We  can  regard  (( M2,  Mi ,  a ))  as  a  partial  function  on  all  of  M2(q). 


Figure  7.3  illustrates  the  action  of  the  containment  map. 


Hiding  Awkward  Notation  Strictly  speaking,  the  ((M2,  Mi,  a))  function  is  partial.  As 
such,  it  is  not  defined  for  some  elements  of  its  domain:  namely,  the  atoms  from  M2(o')  that  are 
not  part  of  the  subgraph  corresponding  to  Mi  (a).  In  order  to  prevent  statements  like  “take  the 
union  of  (( M2,  Mi ,  o ))  over  the  set  W"  from  becoming  too  awkward — because  we  would  have 
to  explicitly  specify  the  subset  of  W  for  which  the  containment  map  is  defined — we  will  adopt  the 
convention  that  identification  maps  are  “defined”  on  the  remaining  elements  in  the  domain,  but 
they  just  produce  the  empty  set. 


«M2,Mi,a» 


a 


Figure  7.3  When  one  model  contains  another,  a  unique  pairing  connects  the 
graphs  they  produce.  Here  we  see  that  Mi  CM2,  so  Mi(a)  is  isomorphic  to  a 
subgraph  ^  of  M2(a).  The  containment  map  (( M2,  Mi,  a ))  acts  on  all  of  M2(«)  to 
take  this  subgraph  back  to  Mi  (a). 
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This  convention  allows  statements  like  the  following: 


M,(a) 


U  <(M2,  M„<.))(x) 

^z6M2(a) 


7.1.3.  Using  Containment 

Temporal  Relations  Suppose  Mi  c  M2  act  on  graph  a.  Then  we  obtain  M2(q)  by  copying 
Ml  (a),  changing  the  labels,  and  adding  more  edges  and  nodes.  This  observation  yields  the 
following  facts: 

Proposition  7.5  Suppose  Mi  ^  M2  act  on  graph  a.  Let  A2  and  B2  be  nodes  in 
Ml  (a).  Suppose  (( M2,  Mi,  a ))  is  defined  on  these  nodes;  define: 

Ai  =  ((M2,  Ml,  a))(A2) 

Bi  =  ((M2,  Ml,  o»(B2) 

Then: 


Ai  mi  Bi  A2  B2 

A2  *~f~*  B2  Ai  <-/— >  Bi 

Proof  Edges  in  the  Mi  graph  show  up  in  its  isomorphic  image  in  the  M2  graph.  □ 


ignoring  Edges  Situations  arise  when  we  would  rather  ignore  the  edge  constituencies  when 
worrying  about  containment.  To  handle  these  cases,  we  introduce  a  new  operator: 

Definition  7.6  The  model  GHOSTIFY  transforms  a  computation  graph  by  forcing 
all  edges  to  be  ghosts. 

Transitive  Closure  Taking  the  transitive  closure  will  not  cause  containment  to  stop  holding: 

Proposition  7.7  For  models  Mi ,  M2: 

Ml  CM2  ==>  M7cM^ 

Ml  CM2  M^CM^ 

Proof  TRANS  adds  only  ghost  edges;  and  if  TRANS  adds  an  edge  to  the  Mi  graph  that  didn’t 
already  exist  in  the  M2  graph,  then  TRANS  will  also  add  that  edge  to  the  M2  graph.  □ 

Proposition  7.7  does  not  hold  for  strong  containment:  suppose  M2  already  has  transitive  edges 
in  its  Ml  image,  except  these  edges  are  not  ghosts. 
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Examples  of  Containment  The  family  of  models  from  Chapter  6  provides  a  number  of  natural 
examples  of  containment: 


Proposition  7.8  Forp  €  PROC-NAMES: 


TIMEUNEp 

C 

EXTREMA  0  TIMEUNES 

EXTREMA  0  TIMELINES 

c 

POT 

TIMELINEp 

c 

POT 

GHOSTIFY  0  POT 

c 

EXTREMA  0  LINEAR 

LINLINES 

c 

LINEAR 

Proof 

1.  The  p  timeline  shows  up  in  the  complete  set;  the  representations  coincide  exactly  except  for 
the  transitive  extrema. 

2.  Only  the  message  edges  (and  the  transitive  edges  they  imply)  are  missing. 

3.  Containment  is  transitive. 

4.  The  POT  graph  is  clearly  a  subgraph.  The  nodes  have  identical  representations.  But  the 
edges  of  POT  that  do  not  appear  in  LINEAR  will  correspond  to  ghost  edges  in  LINEAR. 
The  POT  versions  of  these  edges  may  actually  represent  something;  hence  the  GHOSTIFY. 

5.  Only  the  SYNC  edges  are  missing. 


7.2.  Refinement 


Suppose  we  have  two  time  models  act  on  the  same  domain  of  computation  graphs.  Section  7.1 
provides  the  terminology  to  talk  about  the  situation  when  one  model’s  graphs  always  contain  images 
of  the  other  model’s  graphs.  However,  our  research  has  demonstrated  the  need  to  talk  about  a  more 
subtle  correlation:  if  model  Mi  collapses  a  set  of  inr  n  graphs  by  taking  each  of  them  to  the  same 
output  graph,  then  model  M2  also  collapses  this  k  .  i  his  property  allows  us  to  compare  Mi  and 
M2  graphs  without  having  to  go  all  the  way  back  to  the  input  graphs. 

Formally,  a  model  M  with  domain  V  induces  a  natural  partition  on  a  set  ^  C  P :  just  take  the 
collection  of  sets  M“‘(M(^)).  If  two  models  Mi  and  M2  on  the  same  domain  have  the  property 
that,  for  any  set,  the  M2  partition  is  strictly  coarser,  then  specifying  the  computation  graph  Mi  (o) 
also  determines  the  specific  computation  graph  M2(a).  In  some  sense,  the  actual  value  of  a  is 
irrelevant. 
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Dofinition  7.9  Suppose  models  Mi  and  M2  on  the  domain  Tf  have  the  property 
that,  for  all  a,  q'  €  V\ 

Ml  (a)  =  Ml  (o')  =»  M2(a)  =  M2(a') 

Then  we  say  that  Mi  refines  to  M2,  and  we  write  Mi  t>  M2. 


Clearly,  refinement  is  transitive. 

The  relation  Mi  >  M2  induces  a  function  firom  Mi(I>)  to  M2(I>)):  we  write  A  >  ^  when 
A  €  Mi(X>)andMf*(A)  C  MJ*(A).  (This  function  does  not  extend  to  be  a  model  itself  because 
of  the  lack  of  any  kind  of  representation.  We  have  no  well-defined  correspondence  between  the 
atoms  of  a  particular  graph  that  M2  produces  and  the  atoms  of  the  graph  that  Mi  produces  on  the 
same  input.) 

Figtire  7.4  illustrates  these  relationships. 


Transitive  Ciosure  Taking  the  transitive  closure  will  not  cause  refinement  to  stop  holding: 

Proposition  7.1 0  For  models  Mi ,  M2: 

Ml  t>  M2  ==^  Ml  >  M2 

Proof  This  follows  directly  from  Definition  7.9.  □ 


Abstraction  Hierarchies  Refinement  allows  us  to  put  models  into  “abstraction  hierarchies”: 
chains  of  models  on  a  given  domain  that  monotonically  lose  information — or  gain  abstraction. 

Proposition  7.1 1  For  any  p  e  PROC-NAMES: 

LINEAR  t>  POT  >  TIMELINES  t>  TIMELINEp 
LINEAR  >  LINLINES  >  LINLINEp 

Proof  These  assertions  follow  directly  from  the  definitions  of  the  models.  □ 

7.3.  Components 


Suppose  Ml  C  M2,  with  shared  domain  V.  Then  for  any  a  e  T>,  Mi  (a)  shows  up  in  M2(a). 
However,  this  is  still  not  sufficient  to  talk  about  the  Mi  component  of  a  graph  j3  €  M2(I>):  suppose 
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(P2) 


Figure  7.4  This  diagram  illustrates  refinement:  Mi  >  M2.  The  dashed  arrows 
indicate  the  action  of  Mi;  the  solid  arrows  indicate  the  action  of  M2.  We  see 
that  when  Mi  identifies  two  graphs  (for  example,  q  and  a')  by  taking  them  to  the 
same  image,  then  M2  also  identifies  those  two  graphs.  We  see  that  the  Mi  value 
determines  the  M2  value:  for  example,  knowing  that  Mi  takes  a  graph  to  A  is 
sufficient  to  conclude  that  M2  takes  that  graph  to  At-  We  write  describe 

this  relationship. 
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Y 


Figure  7.5  Containment  does  not  guarantee  well-defined  components.  Although 
M,  cMa  model  Mi  may  be  isomorphic  to  different  subgraphs  depending  on  the 
original  graph.  Here,  7  =  M2(o)  =  M2(o')  but  the  subgraph  isomorphic  to  Mi(o) 
differs  from  13',  the  subgraph  isomorphic  to  Mi  (a'). 


7  is  the  M2  image  of  both  a  and  o'  in  V  (that  is,  M2(o)  =  M2(o')  =  /?),  but  Mi(q)  ^  Mi  (o'). 
Figure  7.5  illustrates  this  counterexample. 

Talking  unambiguously  about  the  Mi  component  of  a  graph  generated  by  M2  requires  both 
containment  and  refinement; 

Definition  7,12  Suppose  Mi  and  M2  act  on  the  same  domain.  Mi  is  a  component 
of  M2 

Mi  C  M2 

when  Ml  C  M2  and  M2  >  Mi. 

Each  special  case  of  containment  (from  Definition  7.2)  gives  rise  to  a  corresponding  special  case 
of  components: 

Definition  7.13  Suppose  Mi  and  M2  act  on  the  same  domain. 

•  If  Ml  c  M2  and  M2  >  Mi,  then  Mi  is  a  direct  component  of  M2: 

Mi  C  M2 


•  If  Ml  C  M2  and  M2  >  Mi,  then  Mi  is  a  strong  component  of  M2: 

Ml  C  M2 
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•  If  Ml  C  M2  and  M2  >  Mi ,  then  Mi  is  a  strong  direct  component  of  M2: 


Ml  C  M2 


Each  of  these  relations  is  transitive. 

Informally,  Mi  c  M2  when  the  containment  isomorphism  takes  the  Mi  graph  to  a  well-defined 
subgraph  of  M2.  One  can  take  any  graph  produced  by  M2  and  unambiguously  select  the  Mi 
component. 

Transitive  Closure  As  with  containment,  taking  the  transitive  closure  will  not  cause  non-strong 
containment  to  stop  holding. 

Proposition  7.14  For  models  Mi ,  M2: 

Ml  CM2  =>  M^cM^ 

Ml  CM2  =>  MTcM^ 

Proof  This  follows  directly  from  Proposition  7.7  and  Proposition  7.10.  □ 


Examples  Our  family  of  models  provides  some  examples  of  components. 

Proposition  7.15  For  each  p  e  PROC-NAMES: 

TIMELINEp  C  POT 
LINLINEp  C  LINEAR 

Proof  Proposition  7.8  gives  containment;  Proposition  7.1 1  gives  refinement.  □ 


7.4.  Decomposition 

We  have  seen  in  Chapter  6  that  our  two  more  complex  time  models,  LINEAR  and  POT,  each  have 
a  fairly  significant  straight-line  substructure.  The  LINEAR  model  has  LINLINES;  the  POT  model 
has  TIMELINES. 

Informally,  we  want  to  be  able  to  talk  about  temporal  orderings  both  in  such  higher-level  models 
and  in  their  substructures.  The  LINEAR  model  easily  grants  this  ability.  Not  only  is  LINLINES  a 
component  of  LINEAR;  the  “factorization” 

LINEAR  =  SYNC  o  LINLINES 
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gives  us  a  straightforward  way  to  talk  about  the  LINLINES  graph  of  a  computation  as  an  interme¬ 
diate  step  on  the  way  to  the  LINEAR  graph. 


Performing  the  same  task  with  the  POT  model  is  challenging.  It  cannot  be  the  case  that 
TIMELINES  £  POT  because  TIMELINES  ^  POT  cannot  hold:  since  the  global  extrema  of  POT 
graphs  bind  together  the  local  extrema  of  TIMELINES  graphs,  a  bijection  cannot  exist.  However, 
the  POT  model  does  contain  the  individual  TIMELINEp  models.  Further,  the  collection  of  these 
individual  component  models  refines  to  the  POT  model. 


Suppose  we  defined  a  model  MSG'  that  takes  graphs  with  send  and  receive  events  and  adds  the 
MSG  edges: 


MSG'(a)  =  aUMSG(Q) 


Then  we  could  factor  POT  as  well: 


POT  =  (MSG' o  EXTREMA)  o  TIMELINES 


In  this  paper,  we  lay  the  foundations  for  work  with  models  more  general  than  POT  and  LINEAR. 
Hence,  we  want  to  isolate  the  general  rule  at  work  in  this  factorization.  This  section  carries  out 
this  task.  In  Section  7.4.1  we  explore  the  relationship  between  a  model  M  and  a  single  Mj  C  M. 
In  Section  7.4.2  we  demonstrate  that  a  sufficiently  rich  set  of  components  {Mi , ...,  M^}  will  form 
a  decomposition  of  a  model  M:  a  substructure  that  we  can  factor  out. 


7.4.1.  Model  and  Component 

Suppose  Ml  is  a  submodel  of  M.  For  any  a  in  the  shared  domain,  the  containment  map 
(( M,  Ml,  Q ))  takes  the  atoms  of  the  M  graph  back  to  the  atoms  of  the  Mi  graph.  Suppose,  for 
all  a,  some  further  properties  hold: 

•  Ml  t>  M 

•  The  containment  map  {( M,  Mi ,  q  ))  is  defined  on  all  non-ghosts  in  the  M  graph. 

•  Whenever  an  atom  of  the  M  graph  represents  anything,  it  represents  the  same  thing  its 
(( M,  Ml ,  Q ))  image  in  the  Mi  graph. 

The  first  property  implies  that  each  Mi  graph  determines  an  M  graph,  and  the  second  and  third 
imply  that  the  atoms  of  the  Mi  graph  determine  (through  the  containment  map)  the  constituencies 
of  the  atoms  of  the  M  graph. 

Hence  we  can  obtain  a  model  M2  satisfying  M  =  M2  o  Mi. 

Such  an  induced  model  would  be  practically  the  identity — we’re  just  taking  the  Mi  graph, 
relabeling  the  nodes,  and  possibly  adding  ghosts.  However,  if  we  had  a  set  of  components  {M,  } 
satisfying  a  few  convenient  properties,  rather  than  just  the  single  submodel  Mi,  then  we  can 
induce  a  model  that  is  not  so  trivial.  This  insight  yields  the  technique  of  decomposing  models  into 
components. 


7.4.2.  Decomposing  Models  into  Components 


When  a  collection  of  models  Mi,  M2, ....  Mfc  are  each  components  of  a  model  M,  then  each  atom 
in  M(a)  maps  to  a  set  (possibly  empty)  of  atoms  in  the  collection  of  graphs  M,(a).  If  this  set 
determines  the  q  representation  of  the  M  atom,  and  the  disjoint  union  of  the  collection  refines  to 
M,  then  we  can  do  some  fun  things. 

Definition  7.1 6  Suppose  M  is  a  model  on  domain  I>,  {Mi , . . . ,  Mjt }  is  a  finite  set  of 
models  on  the  same  domain,  and  M'  =  U0{Mi , Mfc}.  Then  M'  is  a  decomposition 
of  M,  with  decomposition  set  {Mi , Mfc},  when: 

•  Mi  C  M  for  each  i 

•  M'  t>  M 

•  For  all  graphs  a  €  "D  and  for  all  atoms  x  €  M(a) 

(M,  a)(x)  =  U  (  M.,  a))  (x)  ) 


Figure  7.6  illustrates  the  representation  condition  (the  third  bullet). 

Proposition  7.17  If  M'  is  a  decomposition  of  M,  then  M'  is  a  decomposition  of 
M. 

Proof  This  assertion  follows  from  Proposition  7.10,  Proposition  7.14  and  Definition  7.16.  □ 


Proposition  7.18  The  following  hold: 

1.  TIMELINES  is  a  decomposition  of  POT. 

2.  LINLINES  is  a  decomposition  of  LINEAR. 


Proof  Both  statements  assert  that  a  model  decomposes  to  a  disjoint  union  of  a  set  of  models. 
Proposition  7.15  gives  that  each  element  in  the  set  is  a  component  of  the  model.  Proposition  7.1 1 
gives  refinement;  and  the  definitions  of  the  models  gives  the  representation  condition.  □ 


Model  Your  Own  Decomposition  When  acollection  of  components  { Mi }  is  a  decomposition 
set  for  model  M,  then  we  can  determine  whatever  any  M  atom  represents  from  what  its  {Mi} 
atoms  represent.  Hence  we  can  perform  the  desired  factorization  and  insert  {Mi}  between  the 
input  graphs  and  M. 
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Figure  7.6  For  a  set  of  components  to  form  a  decomposition  of  a  model,  the 
constituencies  of  the  set  should  determine  the  constituencies  of  the  model.  In 
this  example,  we  consider  the  model  M  and  the  set  of  components  {MJ.  We 
have  two  routes  from  an  atom  in  M(a)  back  to  o.  We  can  go  directly  through  the 
representation  map  { M,  a )  (solid  arrow);  or  we  can  go  to  each  M,(a)  through  the 
containment  maps  (( M,  Mi,  a)),  and  from  there  to  a  through  the  representation 
maps  ( Mi,  a )  (dashed  arrows).  Forthe  model  M'  =  U0{Mi}  to  be  a  decomposition, 
these  routes  must  always  yield  the  same  set  of  atoms  in  a. 
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Definition  7.19  Suppose  M  on  domain  V  has  decomposition  M',  with  decompo¬ 
sition  set  {Mi,...,Mfc}.  Defintiht  factoring  model  M/M'  on  the  domain  M'(P)  as 
follows. 

Let  =  M'(a),  for  a  e  V.  Then  M/M'  takes  ^  to  the  7  from  M(2))  satisfying 
>  7.  The  representation  map  applies  each  containment  map  to  an  atom  and  collects 
the  results: 


(M/M',/3)(x)  =  {{{M,  Mi,  a)){x)  :  l<i<k} 
Figure  7.7  sketches  the  structures  from  Definition  7.19. 


Theorem  7.20  (Factorization)  Suppose  model  M  has  decomposition  M'.  Then 

M  =  M/M'  o  M' 


Proof  This  assertion  follows  directly  from  Definition  7.16  and  Definition  7.19:  the  composition 
on  the  right  gives  the  same  transformation  action  and  representation  map  as  the  model  M.  □ 

The  observations  from  the  beginning  of  this  section  are  special  cases  of  the  Factorization 
Theorem: 


LINEAR/LINLINES  =  SYNC 
POT/TIMELINES  =  MSG'  o  EXTREMA 


Proposition  7.21  Suppose  model  M  has  decomposition  M',  with  decomposition 
set  {Mi,...,Mfc}.  Under  M/M’  ,  for  any  i,  an  atom  x  from  M  represents  either 
nothing  at  M,  or  an  image  of  itself  at  M^. 


Proof  By  Definition  7.16,  M,  c  M,  hence  Mi  C  M.  Thus  Mi(Q)  is  isomorphic  to  a  subgraph 
of  M(a),  and  this  relationship  determines  the  representations  in  M/M' .  □ 
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Figure  7.7  Model  M  with  decomposition  M'  induces  a  factoring  model  M/M' .  The 
decomposition  M'  =  UalMJ  takes  a  (bottom)  to  ^  (middle) ;  the  model  M  takes  o 
to  7  (top).  The  factoring  model  M/M'  takes  p  to  7;  in  the  new  model,  an  atom  of 
7  represents  the  union  of  its  images  in  each  M,  component.  (Solid  arrows  indicate 
both  the  action  and  the  representation  of  the  new  model.  Dashed  arrows  indicate 
the  action  of  M,  M',  and  the  containment  maps.) 
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Part  III 

Simultaneity 


The  desire  to  distinguish  between  genuine  real  time  and  the  temporal  relations  that  processes 
themselves  perceive  motivated  the  development  of  the  model  family  in  Chapter  6.  The  LINEAR 
model  expresses  the  former;  the  POT  model  expresses  the  latter. 

A  natural  concept  from  traditional  linear  time  is  simultaneity:  at  any  given  moment,  a  single 
photograph  describes  the  state  of  the  system.  However,  simultaneity  is  one  of  the  first  casualties 
of  asynchrony  in  a  distributed  system.  We  can  still  talk  about  “consistent”  global  states,  but 
these  states  may  never  have  physically  occurred.  Time  ceases  to  be  a  nicely  behaved  sequence  of 
individual  moments. 

Part  III  explores  these  issues,  and  extends  the  previous  work  of  Mattem  [Ma89]  and  Johnson 
[Jo89,  JoZw90]. 

Section  7.4  observed  that  the  goal  here  is  to  lay  a  foundation  for  more  general  work  with  more 
general  models  than  POT  and  LINEAR;  hence  Part  III  begins  in  Chapter  8  by  characterizing  these 
models. 

Chapter  9  explores  logical  simultaneity — global  states,  in  terms  of  the  semantics  of  time 
models — and  shows  how  these  can  form  a  lattice  structure.  Chapter  10  discusses  two  convenient 
vector  structures  that  arise  from  logical  simultaneity.  We  then  relate  logical  simultaneity  to  the 
simultaneity  of  real  time:  Chapter  11  explores  the  basic  structures;  Chapter  12  examines  why 
models  such  as  POT  fail  to  give  the  desired  simultaneity  properties;  and  Chapter  13  proposes  some 
solutions. 

Finally,  Chapter  14  makes  some  deeper  observations  about  the  structure  of  logical  global  states. 
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(Part  III) 


Chapter  8 

Parallel  Models 


This  chapter  characterizes  the  models  to  which  the  machinery  of  of  Part  III  applies:  computation 
that  takes  place  at  different  processes  in  parallel.  Section  8.1  introduces  the  structure  of  the 
multiprocess  pair:  a  model  describing  the  local  process  computation,  along  with  one  describing 
the  global  system  computation.  Section  8.2  presents  some  tools  for  models  from  this  structure,  and 
Section  8.3  isolates  some  interesting  subsets  of  multiprocess  pairs — including  the  subset  parallel 
pairs,  describing  parallel  computation. 


8.1 .  Multiple  Processes 

We  want  a  two-level  perspective  on  system  behavior:  things  happen  locally  at  processes,  but  these 
things  also  happen  globally  in  the  system.  We  define  a  mechanism  to  provide  this  dual  perspective: 

Definition  8.1  Suppose  models  M  and  M'  on  ground-level  computation  graphs 
satisfy  the  following: 

1.  M'  is  a  decomposition  of  M,  with  decomposition  set  {MJ 

2.  Each  Mi  describes  events  at  a  unique  process.* 

3.  The  factoring  model  M/M'  has  no  ghost  events. 

Then  we  say  that  (M,  M')  is  a  multiprocess  pair.  Model  M  is  a  mitltiprocess  model, 
with  multicomponent  M'. 


The  family  of  models  from  Chapter  6  provides  some  natural  (and  intentional)  examples:  both 
(LINEAR,  LINLINES)  and  (POT,  TIMELINES)  are  multiprocess  pairs. 


'  Actually,  there’s  no  reason  why  the  “process”  for  this  decomposition  should  be  the  same  as  the  “process”  for  the  basic 
system  model  of  Chapter  2.  This  work  should  easily  extend  to  handle  such  wrinkles  as  process  migration  and  virtual 
processes. 
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Suppose  multiprocess  pair  (M,  M')  acts  on  graph  a.  The  multicomponent  M'  transforms  graph 
a  into  a  set  of  local  process  descriptions;  the  model  M  transforms  graph  a  to  the  global  system 
description.  The  factoring  model  M/M'  takes  the  local  process  descriptions  to  the  global  system 
descriptions;  events  from  different  processes  may  meige,  but  no  new  events  are  added. 


Multiple  Perspectives  The  two  models  in  a  multiprocess  pair  provide  two  views  of  a  compu¬ 
tation:  as  independent  local  threads,  and  as  a  unified  global  whole.  Frequently  we  want  to  make 
another  kind  of  distinction:  between  basic  transitions  and  full  transitive  precedence.  For  example, 
in  the  (POT, TIMELINES)  we  may  want  to  distinguish  between  immediate  precedence 

A  — >B  in  TIMELINES 


and  transitive  precedence 


A  — in  TIMELINES 


Proposition  7.17  tells  us  that  if  (M,  M')  is  a  multiprocess  pair,  then  so  is  (M,  M').  So  suppose 
we  want  to  build  transitive  temporal  relations  arising  from  some  notion  of  “basic  transition  steps.” 
If  we  build  (M,  M')  so  that  edges  express  basic  steps,  then  (M,  M')  is  a  parallel  pair  giving  the 
full  transitive  steps.  Thus  the  multiprocess  pair  (M,  M')  provides  four  views  of  an  underlying 
computation  a.  Figure  8.1  illustrates  the  multiple  perspectives. 


8.2.  Tools 


We  now  introduce  some  tools  to  facilitate  using  the  multiprocess  pair  machinery. 


8.2.1 .  Projection 

Working  with  multiprocess  pairs  will  frequently  require  constructing  objects  with  the  structure 
“one  thing  per  each  process  component.”  We  use  standard  notation  to  move  between  each  object 
and  the  individual  entries: 


Definition  8.2  When  a  set  has  the  property  that  each  p  G  PROC-NAMES  is  un¬ 
ambiguously  associated  with  a  unique  element  of  the  set,  we  use  projection  to  select 
these  elements.  For  example,  M'  is  the  disjoint  union  of  process  models;  TTp  M'  refers 
to  the  model  for  process  p. 
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local: 


global: 


full 

transitive 

precedence: 


basic 

transition 

steps: 


Figure  8.1  A  multiprocess  pair  provides  four  views  of  a  computation,  according  to 
two  independent  choices:  whether  we  use  the  model  or  the  multicomponent,  and 
whether  or  not  we  take  the  transitive  closure.  Here,  pair  (M,M')  acts  on  graph  a, 
with  p  =  M'(a)  and  7  =  M(a).  Graph  13  provides  the  basic  transition  step  version 
of  the  local  computation;  graph  ^  provides  the  full  transitive  closure.  Graphs  7  and 
7  provide  the  global  system  descriptions. 
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8.2.2.  Events  in  Models  and  Multicomponents 

Multiple  Roles  Suppose  graph  a  lies  in  the  shared  domain  of  multiprocess  pair  (M,  M').  Each 
atom  that  M  produces  has  its  origins  in  the  process  components  from  M'.  In  this  sense,  an  atom  x 
from  M(a)  has  multiple  roles: 

•  as  itself:  x  G  M(a) 

•  as  the  atom  (if  any)  it  represents  at  a  particular  process  component  of  M': 

({M,  TTpM',  a))(x) 

An  atom  x  from  M(q;)  has  two  more  roles: 

•  as  its  M'  constituency:  (  M/M' ,  M'  (a))(x) 

•  as  the  atom  (if  any)  it  represents  at  a  particular  process  component  of  M': 

({M,  TTpM',  a))(x) 

To  simplify  discussing  these  multiple  roles,  we  introduce  some  notational  shortcuts: 

Definition  8.3  When  multiprocess  pair  (M,  M')  acting  on  graph  a  are  understood, 
define  these  operators  on  atoms  x  from  M(Qf): 

.  x\u'  =  (M/M',  M'(a))(x) 

•  x|p  =  ({ M,  Tp  M',  a  ))(x),  for  p  €  PROC-NAMES 

For  atoms  x  in  M(a)  define  two  more  operators: 

•  xli^  =  (_M/^,M^(a))(x) 

•  xlp  =  ((M,  M^,  a  ))(x),  for  pG  PROC-NAMES 

Extend  each  operator  to  act  on  sets  of  atoms  by  applying  it  to  each  element  of  the  set 
and  collecting  the  results. 

The  operators  from  Definition  8.3  possess  simple  mnemonics:  Afoo  ^  whatever  it 

represents  in  foo.  These  operations  also  satisfy  some  easy  identities: 

Proposition  8.4  For  multiprocess  pair  (M,  M'),  let  x  be  an  atom  in  a  graph  gen¬ 
erated  by  M.  Then: 

a:|M'  =  {x|p  :  p  G  PROC-NAMES) 

If  X  is  an  atom  in  a  graph  generated  by  M,  then 

~  •  P  ^  PROC-NAMES) 

If  X  is  a  node,  then  for  any  p  G  PROC-NAMES: 

a:  Ip  =  x|p 
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Proof  These  assertions  follows  directly  from  Definition  8.3  and  Definition  7, 16,  and  the  fact  that 
transitive  closure  only  adds  edges.  □ 


From  “Nodes”  to  “Events”  Time  models  produce  computation  graphs.  However,  in  prac¬ 
tice  these  graphs  describe  computations;  nodes  in  a  graph  represent  correspond  to  everas  in  the 
computation. 

Until  now,  we’ve  talked  about  computation  graphs  as  graphs;  hence  we’ve  referred  to  nodes  as 
nodes.  But  now  we  want  to  begin  using  graphs  as  descriptions  of  computations;  hence  we  shift 
terminology  from  “node”  (the  object  in  the  graph)  to  “event”  (the  reality  presumably 
behind  this  object). 

8.2.3.  Temporal  Relations  in  Models  and  Multicomponents. 

Localizations  Since  the  individual  process  models  are  in  fact  components  of  the  global  model, 
a  path  between  two  events  in  the  multicomponent  induces  an  edge  between  those  events  in  a 
multiprocess  model.  It  will  be  useful  to  talk  about  these  edges  without  having  to  move  down  to 
the  multicomponent  and  back  up.  We  can  perform  this  by  trimming  down  the  M  graph  to  include 
only  those  edges  arising  out  of  M'.  These  will  be  the  non-ghosts  in  the  factoring  model. 

Definition  8.5  The  localization  of  multiprocess  pair  (M^')  is  the  model  L  that 
takes  the  event  set  from  M  and  draws  the  edges  induced  by  M'. 


For  example,  the  model  EXTREMA  o  TIMELINES  is  the  localization  of  multiprocess  pair 
(POT, TIMELINES). 

Proposition  8.6  Suppose  multiprocess  pair  (M,  M')  with  localization  L  acts  on 
graph  a.  Let  7  =  M(a),  7^,  =  L(a)  and  =  M(a). 

Events  A,  5  G  7  satisfy  A  — >  B  in  7^  iff  some  A'  €  A|m'  and  B'  e  B\m'  satisfy 
A'  B'  in 


Proof  This  follows  from  the  definitions.  If  A'  — y jB'  in  some  transitive  process  component, 
then  A  — ►  B  in  7  by  an  edge  representing  an  edge  in  □ 

Corollary  8.7  Let  (M,M')  be  a  multiprocess  pair.  If  M'  is  acyclic,  then  the 
localization  has  no  self-loops:  no  edge  connects  a  node  to  itself. 


While  the  localization  is  not  transitive,  it  does  possess  a  “local  transitivity.”  Suppose  when  we 
construct  the  localization,  we  label  each  edge  with  the  process  model  from  whence  it  came.  Then 
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the  localization  has  the  property  that  if  a  path  exists  whose  edges  are  all  labelled  with  process  p, 
then  an  equivalent  edge  exists,  also  labeled  with  p. 

Localization  adds  an  intermediate  perspective  between  the  local  M'  and  the  global  M:  we  use 
the  events  from  M  but  retain  only  the  edges  from  Since  taking  the  transitive  closure  of  the 
localization  would  ruin  Proposition  8.6,  the  localization  perspective  is  intermediate  on  that  axis 
too.  Figure  8.2  illustrates  the  revised  view. 


Local  Closures  Another  useful  operation  is  collecting  the  events  that  locally  precede  some  set 
of  system  events. 


Figure  8.2  The  localization  of  a  a  multiprocess  pair  provides  a  intermediate  per¬ 
spective  between  the  local  and  the  global,  and  between  the  transitive  and  the 
non-transitive.  With  localization,  we  now  have  five  views:  the  localization  is  cen¬ 
tral.  Here,  pair  (M,M')  with  localization  L  acts  on  graph  a,  with  0  =  M'(a), 

7z,  =  L(a)  and  7  =  M(q). 
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Definition  8.8  Suppose  multiprocess  pair  (M,  M')  with  localization  L  acts  on  graph 
Q.  Let  7  =  M(a),  ^  =  M'(a),  and  =  L(Q!)- 

For  a  set  of  events  X  from  7,  define  its  local  past-closure  [X]  to  be  the  set  of  event 
that  precede  or  equal  X  in  71,. 

fX]  =  {A  :  for  some  5  G  X,  y4  rzil  jB  in  7£,} 

Define  the  local  future-closure  [XJ  similarly. 

Local  closures  select  events  from  an  M  graph  on  the  basis  of  the  relations  of  their  pre-im-  ges  in 
M'.  Hence,  if  a  set  X  consists  of  POT  events  at  different  processes,  fX]  contains  only  copy  of  1, 
rather  than  a  copy  for  each  process. 


8.3.  Variations 

8.3.1.  Concurrent  Pairs 

The  definition  of  multiprocess  pair  says  very  little  about  how  the  global  model  glues  together 
the  individual  process  components.  For  example,  we  could  take  multicomponent  LINLINES  and 
merge  one  process’s  maximum  with  another’s  minimum. 

To  describe  the  situation  when  the  activity  at  different  processes  takes  place  concurrently,  we 
introduce  a  special  term: 

Definition  8.9  Suppose  multiprocess  pair  (M,  M')  has  domain  V.  We  say  that 
(M,  M')  is  concurrent  when  for  any  a  G  "D, 

1.  If  A  and  B  are  maxima  from  different  process  components  in  M',  then 

(M/M^)  (A)  ^  (M/M^)  {B) 

2.  If  A  and  B  are  minima  from  different  process  components  in  M',  then 

(M/M^)(A)  ^  {MIW'){B) 

Both  (LINEAR,  LINLINES)  and  (POT,  TIMELINES)  are  concurrent. 

If  the  model  is  transitively  bounded  as  well,  then  the  extrema  have  a  simple  structure: 

Proposition  8.10  If  a  concurrent  model  is  transitively  bounded,  then  the  unique 
global  maximum  represents  the  individual  process  maxima  (and  similarly  for  the  min¬ 
ima). 
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Proof  Let  M  be  the  concurrent  model.  Fix  an  input  graph  a,  and  let  A  be  the  global  maximum 
in  M(o).  By  Definition  8.1,  event  A  has  to  represent  some  event  A'  at  some  process  p.  Event 
A'  must  be  a  o  maximum,  for  otherwise  A  could  not  be  maximal.  Let  W'  ^  /I'  be  a  maximum  at 
process  q  (not  necessarily  distinct  from  p)  and  let  B  be  its  image  in  M.  U  D  A,  then  B  — >  A 
(because  A  is  maximal)  and  hence  the  model  could  not  be  concurrent.  □ 


8.3.2.  Multilinear  Pairs 

The  definition  of  multiprocess  pair  also  says  very  little  about  the  individual  process  components. 
We  introduce  a  special  term  to  describe  when  these  components  look  like  timelines; 

Definition  8.11  A  multiprocess  pair  (M,M')  is  multilinear  when  the  individual 
process  components  produce  only  straight-line  graphs. 


8.3.3.  Parallel  Models 

Definition  8.9  ensures  that  the  local  process  components  happen  in  “parallel.”  Definition  8.11 
ensures  that  process  components  are  timelines.  Together,  these  conditions  describe  what  we 
usually  regard  as  “parallel  computation.”  Figure  8.3  illustrates  this  taxonomy. 

Definition  8.12  Suppose  multiprocess  pair  (M,M')  is  concurrent,  and  each  M' 
component  always  produces  straight-line  graphs.  We  say  that  M  is  parallel  and  that 
( M,  M' )  is  a  parallel  pair. 

Both  (LINEAR, LINLINES)  and  (POT, TIMELINES)  are  parallel  pairs. 


Other  Directions  Part  III  explores  properties  of  parallel  pairs.  However,  more  advanced 
work  may  require  dealing  with  more  general  varieties;  for  example,  rollback  may  require  allowing 
process  components  to  be  trees  rather  than  straight-line  graphs.  Hence,  future  research  may  involve 
slightly  generalizing  our  parallel  pair  machinery. 
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(Part  III) 


Chapter  9 

Logical  Simultaneity 


A  time  model  M  on  ground-level  computation  graphs  imposes  a  web  of  ordering  on  the  events  in 
an  unfolding  computation.  A  maximal  set  of  mutually  concurrent  events  represents  a  logical  slice 
of  time  across  this  computation — '‘logical”  in  the  sense  that  in  the  semantics  of  the  time  model, 
this  set  describes  a  possible  moment  of  simultaneity. 

Section  9.1  considers  a  number  of  approaches  to  describing  logical  global  states  in  parallel 
pairs,  and  shows  how  they  all  arise  from  times/ices:  sets  of  events  forming  logical  slices  of  time.* 
Section  9.2  presents  some  natural  operations  on  event  sets;  Section  9.3  uses  these  operations  to 
establish  the  set  of  timeslices  forms  a  lattice. 

The  literature  diverges  on  the  exact  definitions  of  many  of  the  terms  that  arise  here  (e.g., 
“consistent  cut”);  to  avoid  any  ambiguity,  we  take  pains  to  indicate  clearly  the  definitions  we  use. 


9.1 .  Timeslices 

9.1 .1 .  Vectors  and  Cuts 

We  want  an  object  to  express  a  system-wide  “system  state.”  Informally,  this  should  be  a  tuple  of 
events,  one  per  process.  However,  the  fact  that  events  can  occur  at  multiple  processes  complicates 
matters. 

Thus,  in  general  this  “one-per-process”  rule  has  two  possible  formal  characterizations.  We 
introduce  terms  for  both: 

Definition  9.1  Suppose  (M,  M')  is  an  multiprocess  pair,  and  7  is  a  graph  from  M. 

1.  An  event  vector  is  an  array  of  events  from  7  with  the  constraint  that  the  process 
p  entry  occurs  at  process  p. 


'  [Sp89]  uses  the  term  “limeslice”  (and  [Ma89]  uses  “time  slice’7;  the  timeslices  there  are  special  cases  of  the  timeslice 
here. 
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2.  An  event  cut  is  a  set  of  events  from  7  such  that  for  each  process  p,  exactly  one 
event  occurs  at  p. 


Vectors  are  arrays,  rather  than  sets  or  multiseis,  because  events  may  occur  at  multiple  processes. 
Indexing  allows  the  entries  in  a  vector  to  carry  a  banner  indicating  their  origin.  Suppose  distinct 
events  A  and  B  both  occur  at  processes  p  and  q,  and  a  vector  V  contains  both  A  and  B.  Without 
indexing,  we  could  not  tell  which  was  the  process  p  entry  of  vector  V. 

Every  cut  is  the  event  set  from  a  unique  vector:  the  cut  provides  exactly  one  event  for  each 
vector  entry.  However,  not  every  vector  has  an  event  set  that  is  a  cut:  suppose  events  A^  B  both 
occur  at  both  p  and  9;  vector  V  may  contain  both. 

In  graph  theory,  a  cut  is  a  set  of  nodes  whose  removal  leaves  the  graph  disconnected.  In  our 
usage,  a  cut  is  a  set  of  events  that  cuts  each  timeline  in  a  parallel  pair. 


9.1 .2.  Timeslices 

So  far,  we’ve  just  used  the  fact  that  each  process’s  component  describes  a  concurrent  part  of  the 
computation.  A  computation  graph  specifies  temporal  ordering  on  events,  and  hence  on  the  events 
in  a  set. 

Definition  9.2  A  set  of  events  X  in  a  computation  graph  is  mutually  concurrent 
when  no  events  A,  Bin  X  (not  necessarily  distinct)  satisfy  A  — >■  B. 


When  a  set  of  events  is  mutually  concurrent,  then — in  the  semantics  of  the  model — no  event 
in  this  set  happened  before  another  event.  If  the  set  is  maximal,  then  any  other  event  in  the 
computation  must  have  happened  either  before  or  after  some  event  in  this  set.  Thus  in  terms  of  the 
model,  this  set  describes  a  possible  simultaneous  moment. 

Definition  9.3  A  timeslice  from  a  computation  graph  a  is  a  maximal  set  of  mutually 
concurrent  events.  An  a-timeslice  is  a  timeslice  in  graph  a.  An  M-timeslice  is  a 
timeslice  in  a  graph  that  model  M  generates. 


Suppose  Ml  □  M2.  Applying  Proposition  7.5  tells  us  how  timeslices  from  Mi  relate  to  time- 
slices  from  M2: 


•  Timeslices  from  Mi  map  into  sets  of  events  in  M2  (since  we  might  gain  edges  in  M2). 

•  Conversely,  timeslices  from  M2  map  to  subsets  of  timeslices  in  Mi  (since  we  may  lose  edges 
and  even  events  going  back  to  Mi). 
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9.1.3.  Timeslices  in  Parallel  Pairs 

If  we’re  using  a  parallel  pair  to  describe  temporal  precedence  on  global  events,  then  we  have  three 
perspectives:  the  transitive  local  model,  the  localization,  and  the  transitive  global  model.  We’ve 
already  seen  timeslices  from  two  of  these  structures. 

Timeslices  in  the  Local  Model  Timeslices  from  the  transitive  local  model  are  isomorphic  to 
vectors. 

Proposition  9.4  Let  (M,  M')  be  a  parallel  pair.  Then  V  is  a  vector  in  M  iff 
{ (’'■p  ^)lp  •  P  ^  PROC-NAMES}  is  a  timeslice  in  M'. 

Proof  M'  produces  a  collection  of  total  orders,  one  from  each  process.  □ 


Timeslices  in  the  Localization  Timeslices  in  the  localization  are  cuts. 

Proposition  9.5  Let  (M,  M')  be  a  parallel  pair,  with  localization  I  set  X  is  a 
cut  in  M  iff  X  is  a  timeslice  in  L. 

Proof  Suppose  X  is  a  L-timeslice.  If  process  p  is  not  represented,  then  aiiy  A  touching  p  is 
mutually  concurrent  with  any  element  of  X.  If  process  p  is  represented  twice,  then  X  cannot 
be  mutually  concurrent.  Conversely,  no  distinct  A,  B  in  a  cut  X  can  precede  each  other  (by 
Proposition  8.6),  and  no  A  can  be  a  self-loop  (by  Corollary  8.7).  But  any  other  event  in  the  graph 
must  touch  some  process  p  and  hence  be  ordered  with  Xp  X,  so  X  is  maximal.  □ 


Timeslices  in  the  Global  Model  This  third  case  is  tricky:  timeslices  in  the  transitive  global 
model  are  at  least  partial  cuts. 

Proposition  9.6  Let  (M,  M')  be  a  parallel  pair.  If  X  is  a  timeslice  in  M  then  X  is 
a  partial  cut. 

Proof  Since  precedence  in  the  localization  implies  precedence  in  the  transitive  model,  a  timeslice 
in  the  latter  is  at  least  a  partial  timeslice  in  the  former.  Apply  Proposition  9.5.  □ 

In  general,  timeslices  from  the  global  model  may  not  be  full  cuts.  We  follow  the  literature  in 
introducing  a  term  to  describe  when  they  are. 

Definition  9.7  Let  (M,  M')  be  a  parallel  pair.  A  consistent  cut  is  a  cut  that  is  also 
an  M-timeslice. 
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Chapter  12  will  consider  the  properties  of  a  parallel  pair  necessary  to  ensure  that  all  dmeslices  are 
consistent  cuts. 

Definition  9.7  differs  from  the  order-theoretic  meaning  of  the  term  “consistent  cut.”  In  order 
theory,  a  consistent  cut  is  a  graph-theoretic  cut  whose  members  share  a  common  upper  bound  (i.e., 
a  common  descendant). 


9.2.  Set  Precedence  and  Operations 

Precedence  The  edges  in  a  computation  graph  specify  precedence  on  events.  We  can  use  these 
edges  to  induce  a  precedence  relation  on  sets  of  events. 

Definition  9.8  Suppose  X  and  Y  are  sets  of  events  in  a  graph  7.  We  say  that  X 
precedes  V'  in  7 


X  Y 

when  an  X  event  precedes  a  Y  event  in  7,  and  all  A,  j5  €  A'  U  Y  satisfy 
A  — >  5  in  7  =>  X  A  B  eY 

To  determine  the  7-precedence  of  two  sets  X  and  Y,  we  build  a  subgraph  of  7  by  taking  the 
events  from  these  sets  and  drawing  any  relevant  7  edges.  Set  X  precedes  set  Y  when  all  edges  go 
from  an  X  event  to  a  F  event,  and  at  least  one  edge  exists. 


Relative  Minima  and  Relative  Maxima  We  can  also  use  edges  to  transform  sets  of  events. 

Definition  9.9  Suppose  X  is  a  set  of  events  in  some  graph  7.  Define  min.,(A^)  to 
be  the  set  of  relative  minima: 

min,(A)  =  {AeX  :  B  e  X  B  -h  Ain'r} 

Define  maxT(  A)  to  be  the  set  of  relative  maxima. 


We  omit  the  subscript  when  the  graph  is  understood. 


Precedence  and  Relative  Min/Max  Clearly,  the  relative  minima  of  A^  U  Y  can  follow  neither 
nor  Y;  similarly  the  relative  maxima  can  precede  neither  A  nor  Y.  With  some  stronger  conditions 
on  X  and  Y,  we  can  establish  that  the  relative  minima  and  relative  maxima  are  actually  the  tightest 
bounds  on  X  and  Y.  A  lattice  structure  emerges. 
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9.3.  Lattices 


In  this  section,  we  show  that  the  set  of  timeslices  in  a  transitive  graph  forms  a  lattice.  The 
precedence  relation  and  minima  and  maxima  operations  from  Section  9.2  give  the  appropriate 
structure. 

Section  9.3.1  gives  some  basic  definitions.  Section  9.3.2  proves  the  main  result.  Section  9.3.3 
considers  the  implications  for  vectors,  cuts,  and  consistent  cuts. 


9.3.1.  Definitions 

First,  we  recall  some  standard  definitions. 

Definition  9.10  Suppose  IK  is  a  nonempty  ordered  set,  and  y,  2  are  two  elements 
of  W.  Element  x  €  IF  is  an  upper  bound  of  y  and  2  if,  in  the  order,  x  follows  both 
y  and  2.  Element  a;  is  a  least  upper  bound  of  y  and  2  if  a;  precedes  any  other  upper 
bound  x'  of  y  and  2.  Define  lower  bound  and  greatest  lower  bound  symmetrically. 

A  lattice  is  a  nonempty  ordered  set  such  that  any  two  elements  in  the  set  have  both  a 
least  upper  bound  and  a  greatest  lower  bound  in  the  set. 

The  standard  term  for  “least  upper  bound”  in  a  lattice  is  join;  the  standard  term  for  “greatest 
lower  bound”  is  meet. 


9.3.2.  Timesiices 

Proving  that  timeslices  from  a  transitive  graph  form  a  lattice  is  tricky.  Intuition  suggests  that 
Section  9.2  should  provide  the  tools:  x  precedence  provides  the  order,  min(A  U  Y)  should  be 
XnY  and  max(A'  U  K)  should  be  XuY. 

Intuition  fails,  because  not  all  timeslices  are  consistent  cuts.  While  establishes  a  partial 
order  on  7- timeslices,  the  relative  minima  and  relative  maxima  operations  may  only  produce  proper 
subsets  of  timeslices.  These  mutually  concurrent  sets  extend  to  timeslices — but  showing  that  there 
exists  unique  extrema  in  the  set  of  these  extensions  is  not  trivial. 

We  prepare  for  the  main  result  with  a  series  of  lemmas. 

Comparing  Timeslices  If  two  timeslices  are  different,  then  some  pair  of  entries  must  be 
ordered: 

Lemma  9.11  Let  A  and  Y  be  timeslices  in  a  graph.  If  X  ^  Y  then  some  A  e  X 
and  B  eY  satisfy  A  — >  Bor  B  — >  A. 
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Proof  Since  X  Y  and  timeslices  are  maximal,  we  can  choose  A€(A^\y').  IfA  were 
concurrent  with  everyone  in  Y,  then  A  would  be  in  Y — hence  such  a  B  must  exist.  □ 

Since  timeslices  are  mutually  concurrent  sets,  we  can  strengthen  the  property: 

Lemma  9.12  If  timeslices  X  and  K  in  a  graph  satisfy  X  <Y,  then  for  any  A  and 
B  from  X  \JY, 


A—^B  A€(A:\K)  A  B6(r\X) 

Proof  Timeslices  cannot  contain  events  that  precede  each  other.  □ 


Partial  Order  in  a  transitive  graph,  the  x  relation  forms  a  partial  order  on  timeslices: 

Lemma  9.1 3  The  -<  relation  is  a  partial  order  on  the  set  of  timeslices  in  a  transitive 
graph. 

Proof  We  establish  the  three  properties. 

1.  The  -<  relation  is  antisymmetric.  Let  X  and  Y  be  timeslices.  If  .V  -C  Y  then  there  exists 
A  e  X  and  B  €  V'  with  A  — >  B.  If  Y  ■<  X  as  well,  then  A,  B  €  X  D  Y.  Hence  neither 
could  be  timeslices. 

2.  The  ■<  relation  is  irreflexive.  If  X  -<  X  then  some  A,BeX  satisfy  A  — >  B. 

3.  The  -<  relation  is  transitive.  Let  timeslices  X,Y,Z  satisfy  X  x  V  x  Z.  Suppose 
A,  B  ^  {X  U  Z)  satisfy 


A  B 

but  A  ^  and  B  ^  Z.  Since  and  Z  are  timeslices,  the  events  cannot  lie  together,  so 
A  e  Z  and  B  €  A^.  If  C  A  for  some  C  6  then  C  B,  contradicting  X  x  Y.  But 
A  C  for  some  C  G  i '  violates  Y  x  2.  If  A  < — >  A  then  A  could  not  be  part  of  timeslice 
Z.  Hence  {A}  U  K  is  mutually  concurrent,  so  Y  could  not  be  a  timeslice.  Thus  all  2  U  A"^ 
edges  go  from  X  to  2. 

Suppose  no  A  G  A'^  and  J9  G  2  satisfy  A  — >  B.  Then  every  A  G  X  either  appears  in  2  or 
is  mutually  concurrent  with  everyone  in  2 — in  which  case  it  appears  in  2.  Hence  .V  =  2. 
Apply  the  antisymmetry  case. 


□ 
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The  Maxima  and  Minima  Operations  For  timeslices  in  a  transitive  graph,  the  relative  max¬ 
ima  and  relative  minima  operations  produce  mutually  concurrent  sets; 


Lemma  9.14  if  X  and  Y  are  timeslices  in  a  transitive  graph,  then  min(X  U  Y)  and 
max(X  U  K)  are  partial  timeslices. 

Proof  LetZ  =  min(X  U  y ).  If  Z  is  not  a  partial  timeslice,  then  some  A,B  e  Z  satisfy  A  — >  B. 
Without  loss  of  generality,  assume  A^  X  and  B  £Y.  However,  B  €  K  n  Z  implies  B  — ►  C  for 
some  C  E  X,  hence  A  — >  C,  so  X  could  not  be  a  timeslice. 

The  case  for  max  is  similar.  □ 

These  sets  characterize  the  set  of  timeslice  bounds; 

Lemma  9.15  Suppose  X  and  Y  are  timeslices  in  a  transitive  graph.  Timeslice  Z 
is  a  lower  bound  of  X  and  Y  iff  no  event  in  min(X  U  Y)  precedes  any  event  in  Z; 
timeslice  Z  is  an  upper  bound  of  X  and  Y  iff  no  event  in  Z  precedes  any  event  in 
max(X  U  Y). 

Proof  Let  M  =  min(X  U  Y).  Suppose  A  e  M  precedes  B  e  Z.  Without  loss  of  generality, 
assume  A  e  X.  Then  Z  can  neither  precede  nor  equal  X.  Suppose  no  A  e  M  precedes  anyone 
in  Z.  Then  no  one  in  X  U  y  can  precede  anyone  in  Z.  If  Z  ^  X,  then  Lemma  9.1 1  implies  that 
someone  in  Z  must  precede  someone  in  X.  Hence  Z  is  a  lower  bound  of  X  and  Y.  The  case  for 
max  is  symmetric.  □ 


Extremal  Extensions  Timeslices  by  definition  contain  only  acyclic  events.  Hence  the  set  of 
timeslices  that  a  given  mutually  concurrent  set  extends  to  has  a  unique  maximum  and  a  unique 
minimum — because  directed  acyclic  graphs  have  maxima  and  minima. 

Lemma  9.16  Suppose  X  is  a  partial  timeslice  in  a  transitive  graph.  There  exists  a 
unique  minimum  timeslice  and  a  unique  maximum  timeslice  containing  X. 

Proof  Let  W  be  the  set  of  all  acyclic  events  that  are  concurrent  with  every  member  of  X.  Since 
these  events  are  acyclic,  our  transitive  graph  induces  a  transitive  acyclic  subgraph  7  on  W.  Define 
X'  =  min,(iy).  Define  W  to  be  the  set  of  timeslices  from  7.  We  make  some  assertions; 

•  X'  €  W.  By  definition,  the  7  minima  set  is  maximal  and  mutually  concurrent. 

•  {X  U  Z  ;  Z  G  VK }  is  the  set  of  timeslices  containing  X.  A  set  X  U  Z  is  mutually  concurrent 
and  cannot  be  extended;  the  non-X  elements  of  a  timeslice  containing  X  must  be  a  timeslice 
in  7. 


81 


•  For  any  Z  e  VV,  if  Z  ^  X'  then  (A"  U  A')  x  (A  U  Z).  Otherwise,  A'  could  not  have  been 
the  minima. 


Thus  a  unique  minimum  A  U  A'  exists,  and  similarly  a  unique  maximum  exists.  □ 


The  Timeslice  Lattice  Hence,  timeslices  from  a  transitive  graph  form  a  lattice.  The  -<  rela¬ 
tion  gives  a  partial  order,  and  max  and  min  give  partial  timeslices  that  extend  to  the  appropriate 
timeslices. 

Theorem  9.17  (Timeslice  Lattice)  If  nonempty,  the  set  of  timeslices  in  a  transitive 
graph  forms  a  lattice. 

Proof  By  Lemma  9. 1 3,  the  ^  relation  forms  a  partial  order. 

Let  A  and  K  be  timeslices.  By  Lemma  9. 14,  min(AuV')  is  a  partial  timeslice.  ByLemma9.16, 
there  exists  a  unique  maximum  timeslice  Z  containing  min(A  U  F).  By  Lemma  9.15,  2  is  a  lower 
bound  of  A  and  Y.  Suppose  timeslice  Z'  is  a  different  lower  bound  that  is  not  dominated  by 
Z.  Then  some  A  e  Z  precedes  some  B  €  Z‘.  By  Lemma  9.15,  B  cannot  follow  anyone  in 
min(  A  U  F).  But  if  B  precedes  someone  in  min(  A  U  F),  then  Z  is  not  a  timeslice.  Hence  B  is 
concurrent  with  min(  A  U  F),  and  by  Lemma  9. 16  must  precede  or  equal  someone  in  Z. 

Thus  timeslice  Z  is  the  greatest  lower  bound  of  A  and  F;  similarly  max(A  U  F)  extends  to  a 
least  upper  bound.  □ 


9.3.3.  Vectors,  Cuts,  and  Consistent  Cuts 

Vectors  A  direct  consequence  of  Section  9.3.2  is  that  vectors  form  a  lattice. 

Theorem  9,18  Suppose  parallel  pair  (M,  M')  acts  on  graph  a.  Let  7  =  M(q)  and 
/?  =  M'(o).  The  set  of  vectors  in  7,  if  nonempty,  forms  a  lattice. 

Proof  By  the  Timeslice  Lattice  Theorem  (Theorem  9.17),  the  /0-timeslices  form  a  lattice;  by 
Proposition  9.4,  the  7-vectors  are  a  bijective  image  of  the  /5-timeslices.  □ 

In  fact,  this  is  easily  established  without  Section  9.3.2 — in  particular,  meet  and  join  coincide 
exactly  with  the  relative  minima  and  maxima. 

AnF  =  min^CAUF) 

AUF  =  max^(AuF) 

We  will  informally  identify  vectors  with  their  multicomponent  images,  and  will  consequently 
apply  Xg,  n,  and  U  directly  to  vectors. 


82 


Cuts  The  set  of  cuts  does  not  always  form  a  lattice.  Since  the  localization  is  not  transitive,  the 
Timeslice  Lattice  Theorem  (Theorem  9.17)  does  not  apply.  Figure  9.1  sketches  a  counterexample. 

If  the  only  multiple-process  events  were  extrema,  (such  as  in  POT  and  LINEAR),  then  the  case 
of  cuts  would  reduce  to  that  of  vectors. 


Consistent  Cuts  However,  the  set  of  consistent  cuts  does  form  a  lattice.  When  applied  to 
consistent  cuts,  the  cut  operations  yield  consistent  cuts.  (Mutual  concurrency  is  easy  to  establish; 
maximality  would  be  easy  if  events  only  occurred  at  single  processes.) 

Lemma  9.1 9  Suppose  multiprocess  pair  (M,  M')  with  localization  L  acts  on  graph 
a.  and'yi  —  L(a). 

If  X,  F  are  consistent  cuts,  then  both  min,^(X  U  Y)  and  max.,^  (X  U  F)  are  consistent 
cuts. 


X  Y 


Figure  9.1  Cuts  in  a  parallel  pair  may  not  form  a  lattice.  Suppose  that  the 
process  events  linked  with  bold  lines  are  merged  in  the  global  model.  Then  cuts 
X  =  {A2,B3,(C2Bi)}  and  F  =  {A3,B2,(CiD2)}  have  only  a  partial  cut  {^3,53}  as 
their  relative  maxima.  This  partial  cut  extends  to  two  different  dominating  cuts — add 
(C4D3)  or  (C3D4).  Each  of  these  extensions  is  concurrent  in  the  set-precedence 
order.  Hence  cuts  X  and  F  have  no  cut  as  a  least  upper  bound. 
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Proof  Let  7  =  M(q), 


Suppose  TTp  X  — >  TTp  Y  in  7^  and  x,  K  — »  tt,  X  in  7^,.  Then  Xp  X  -/-♦  jt,  K  in  7,  for  oth¬ 
erwise  X  is  not  consistent.  Similarly  tt,  y  -f-nTpX  in  7.  Hence  min,^(X  U  Y)  is  mutually 
concurrent. 

Since  all  events  in  X  and  Y  are  acyclic  in  7,  they  must  be  acyclic  in  7l,  so  any  event  in  A  j  Y 
follows  or  equals  someone  in  the  relative  minima.  Suppose  some  process  p  were  not  represented 
in  mia,^(X  U  y).  If  distinct,  the  p  entries  of  X  and  Y  are  ordered  by  71,;  hence  without  loss  of 
generality  suppose  that  iTp  X  Xp  y  in  7/,.  Since  -Kp  X  is  not  a  minima,  some  A  from  A  U  y 
must  satisfy  A  — >  JTp  A  in  7z,.  But  this  event  A  precedes  both  iCp  X  and  ffp  Y  in  7 — hence  at  least 
one  of  A,  Y  must  not  have  been  a  consistent  cut. 

The  case  for  max,^  is  similar.  □ 

On  consistent  cuts,  the  cut  operations  (minima  and  maxima  in  the  localization)  coincide  with 
the  timeslice  operations  (minima  and  maxima  in  the  transitive  global  graph): 

Lemma  9.20  Suppose  parallel  pair  (M,M')  with  localization  L  acts  on  graph  a. 

Let  7  =  M(a)  and  and  71  =  L(a).  If  A  and  Y  are  consistent  cuts,  then 

min:j(A  U  y)  =  min,^(A  U  y) 
max^(A  U  y)  =  max.,^(Auy) 

Proof  Since  7l  C  7  and  removing  edges  cannot  cause  an  event  to  stop  being  minimal: 

min^(A  U  y)  C  min,^(A  U  y) 
max^(A  U  y)  C  max,^(A  U  y) 


Suppose  A  G  (min.,j^(A  U  y))  but  A  ^  (min:f(A  U  y)).  Then  there  exists  a  B  £  (A  U  y) 
such  that  B  — >  A  in  7.  Without  loss  of  generality,  suppose  A  £  X  and  B  £Y,  and  A\p  exists.  If 
TTp  y  — V  A  in  7l,  then  A  could  not  have  been  minimal  in  7^.  Hence  A  z=±  Xp  Y  in  7^  and  hence 
in  7 — in  which  case  Y  could  not  be  mutually  concurrent.  The  case  for  join  is  similar.  □ 

Hence  consistent  cuts  form  a  lattice. 

Theorem  9.21  Suppose  (M,  M')  is  a  parallel  pair.  If  nonempty,  the  set  of  consistent 
cuts  in  an  M  graph  forms  a  lattice. 


Proof  By  the  Timeslice  Lattice  Theorem  (Theorem  9.17),  the  set  of  timeslices  form  a  lattice. 
Consistent  cuts  are  a  nonempty  subset.  By  Lemma  9.19  and  Lemma  9.20,  this  subset  is  closed 
under  meet  and  join.  □ 
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As  with  vectors,  the  minima  and  maxima  operations  here  are  exactly  meet  and  join.  This  only 
makes  sense,  as  on  consistent  cuts,  the  operations  coincitte  not  only  with  the  timeslice  operations, 
but  also  with  the  vector  operations.  Precedence  coincides  as  well. 

Meets  and  joins  also  preserve  event  membership.  Hence  the  set  of  consistent  cuts  containing 
some  specified  event  set  is  a  lattice. 

Theorem  9.22  Suppose  (M,  M')  is  a  parallel  pair,  and  a  set  of  events  X  from  an 
M  graph  is  contained  in  at  least  one  consistent  cut.  Then  the  set  of  all  consistent  cuts 
containing  X  forms  a  lattice. 


Proof  This  follows  directly  from  Theorem  9.2 1 ,  and  the  above  observation.  □ 
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(Part  Hi) 


Chapter  1 0 

Timestamp  Vectors  and  Roiiback 
Vectors 


As  much  previous  research  has  noted,  vectors  play  a  fundamental  role  in  representing  distributed 
time  structures.  This  chapter  explores  this  role  in  terms  of  our  time  theory. 

For  each  event  from  a  graph  from  a  parallel  model,  we  introduce  two  special  structures:  the 
timestamp  vector,  containing  the  maximal  events  at  each  process  that  precede  or  equal  the  event, 
and  the  rollback  vector  containing  the  minimal. 

Section  10. 1  develops  the  definitions  of  these  vectors,  and  Section  10.2  and  Section  10.3  explore 
some  properties  of  them  (including  their  use  as  clocks). 


10.1.  The  Definition 


10.1.1.  The  Attempt 

First,  we  present  the  definitions. 


Definition  10.1  Suppose  parallel  pair  (M,M')  acts  on  graph  o.  Let  7  =  M(a) 
and  ^  =  M'(a).  For  event  A  in  7,  define  its  timestamp  vector  ¥(7,  M,  M',  A)  to  be 
the  vector  whose  process  p  entry  is  the  event  B  such  that: 

•  B  A  in  7 

•  B\p  exists 

•  If  C  A  in  7  and  C\p  exists,  then  C\p  B\p  in  p. 

Define  its  rollback  vector  R(7,  M,  M',  A)  symmetrically:  the  vector  whose  process  p 
entry  is  the  event  B  such  that: 


•  B\p  exists 

•  If  i4  =ri  C  in  7  and  C\p  exists,  then  B\p  :=±  C\p  in  p. 

Usually  the  graph  and  the  parallel  pair  are  understood  when  we  deal  with  these  vectors.  In 
these  situations,  we  will  condense  the  awkward  parameter  list  and  write  simply  V(A)  and  R(A), 
respectively. 

An  easy  consequence  of  this  definition  is  that  an  event  precedes  or  equals  everything  in  its 
rollback  vector,  and  follows  or  equals  everything  in  its  timestamp  vector. 

Proposition  10.2  Suppose  parallel  pair  (M,M')  acts  on  graph  a.  Let  A  be  an 
event  from  7  =  M(a)  and  let  p  €  PROC-NAMES.  If  7rpV(A)  is  defined,  then 
TTp  V(A)  :=♦  A  in  7.  Similarly  if  TTp  R(A)  is  defined,  then  A  7rpR(A)  in  7. 

Proof  This  assertion  follows  direcdy  from  Definition  10. 1.  □ 


1 0.1 .2.  Unique  Entries 

Because  the  process  components  in  a  parall^air  are  total  orders,  the  process  image  of  a  vector 
entry  is  unique.  That  is,  for  event  A  from  an  M  graph  and  process  p  €  PROC-NAMES,  not  more 
than  one  event  from  process  p  meets  the  criteria  for  the  process  p  entry  of  V (A)  and  R(  A).  Because 
the  process  components  are  indeed  components  of  M,  the  vector  entry  itself — as  an  event  in  M — is 
also  unique. 


1 0.1 .3.  Missing  Entries 

However,  a  problem  with  Definition  10.1  is  that  not  all  entries  of  these  vectors  are  always  defined. 
The  numter  of  qualifying  events  is  never  more  than  one — but  it  might  be  zero. 

For  parallel  pair  (M,  M'),  the  process  p  entry  of  the  V(  A)  vector  is  defined  iff  some  B  satisfying 
B  =t  A  in  M  represents  something  at  process  p.  A  simple  condition  guarantees  this  property: 

Proposition  10.3  Let  (M,M')  be  a  parallel  pair.  If  M  is  transitively  bounded, 
then  all  entries  in  all  timestamp  and  rollback  vectors  are  defined. 


Proof  From  Proposition  8.10,  the  global  extrema  represent  the  local  extrema;  hence  the  past  of 
any  event  A  touches  each  process  component  in  at  least  one  spot,  as  does  the  future.  □ 

Conveniently,  the  POT  model  is  transitively  bounded. 
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10.2.  Properties  Despite  Missing  Entries 


We  can  prove  a  number  of  properties  about  timestamp  and  rollback  vectors,  even  if  we  allow  for 
vectors  with  undefined  entries. 

First,  timestamp  vectors  and  rollback  vectors  mark  the  influence  horizons  of  events: 

ITieorem  10.4  Suppose  parallel  pair  (M,M')  acts  on  graph  a.  Let  A  and  B  be 
events  from  7  =  M(a).  Then 

Az=±Bin^  ^  Ae  [V(B)1  ^  Be  LR(A)J 

Proof  Let  L  be  the  localization  of  (M,  M');  let  /?  =  M'(q)  and  7l  =  L(a).  Let  V  =  \{B)  and 
let  R  =  R(-4). 

Suppose  A  B  e^.  A  must  represent  at  least  one  pnxress,  so  let  that  process  be  p.  Then 
B  has  an  ancestor  representing  part  of  the  p  component  of  P.  Hence  by  E)efinition  10.1,  (^Tp  V)\p 
exists,  and  A\p  (rp  V)\p  in  0.  Hence,  by  Definition  8.8,  A  e  fV"]. 

A  e  [V]  implies  there  exists  some  p  such  that  A\p  and  {vpV)\p  both  exist  and  satisfy 
A\^  :=*  {■KpV)\p  m0.  Hence  A  z=l  Xp  Kin  7,  and  by  Proposition  10.2  and  transitivity,  A  B 
in  7. 

The  case  for  the  rollback  vector  is  symmetric.  □ 

The  relation  of  an  event  at  process  p  to  the  process  p  entries  of  its  vectors  satisfies  a  simple 
identity — an  identity  that  is  trivial  for  acyclic  models. 

Lemma  10.5  Suppose  parallel  pair  (M,M')  acts  on  graph  a.  Let  A  be  a^event 
from  7  =  M(a);  let  0  =  M'(a)  and  p  €  PROC-NAMES.  If  A|p  exists  in  0,  then 
the  process  p  entries  of  R(A)  and  V(A)  exist  in  7,  and  their  images  in  0  bracket  the 
image  of  A: 

(7rpR(A))|p  A|p  (7rpV(A))|p 

Proof  A  precedes  or  equals  itself,  so  it  must  precede  or  equal  its  maximal  improper  ancestor  at 
p.  Similarly  A  must  follow  or  equal  its  minimal  improper  descendant.  □ 

Timestamp  and  rollback  vectors  are  unique,  up  to  M  cycles: 

Lemma  10.6  Suppose  parallel  pair  (M,  M')  acts  on  graph  a.  Let  A  and  B  be  events 
from  graph  7  =  M(a),  and  let  0  =  M'(a),  Then 

A  t=>  5  V(A)  =  \{B)  R(A)  =  R(B) 
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Proof  Clearly  if  A  t=»  B  then  the  other  two  statements  hold. 

Suppose  V(A)  =  V(i5).  If  A\p  exists,  then  the  p  entry  of  the  A  vector  exists.  Hence  so  does 
the  p  entry  of  the  B  vector,  and  these  entries  satisfy: 

<r,V(A)  =  t,V(B) 

Lemma  10.5  establishes  that 

s4|p  r-  {irp\{A))\p 

Hence  A  —t  7rpV(A).  But  Proposition  10.2  gives  Xp  V(5)  =?  B.  Hence  A  rrl  B,  and  simi¬ 
larly  B  =*  A. 

The  case  for  rollback  vectors  is  symmetric.  □ 


10.3.  Vector  Clocks 


Timestamp  vectors  have  a  natural  use  as  M-clocks  for  the  transitive  global  model.  If  a  process 
timestamps  each  event  with  its  timestamp  vector,  then  a  simple  comparison  determines  the  M 
relation  of  two  events.*  (Doing  this  comparison  requires  having  all  entries  defined — which  we 
have  from  Proposition  10.3.)  Further,  for  well-behaved  models  like  POT,  calculating  the  timestamp 
vector  for  each  event  is  very  simple. 

Rollback  vectors  describe  the  spread  of  influence  of  an  event  in  a  system.  If  A  were  instan¬ 
taneously  rolled  back,  the  vector  R(>1)  indicates  the  frontier  of  what  needs  to  be  undone.  (But 
rollback  vectors  also  function  as  clocks,  although  not  necessarily  very  practical  ones.) 

The  key  result  is  that  vector  precedence  (from  Theorem  9.18)  follows  event  precedence. 

Theorem  1 0.7  (Vector  Clocks)  Suppose  transitively  bounded  parallel  pair  (M,  M') 
acts  on  graph  q.  Let  7  =  M(o). 

For  any  two  events  A,  B: 

\{A)  X  \{B)  ^  R(/l)  X  R{B) 

{A — >B  \n^  A  B -f-*  Ain'^) 

Proof  Suppose  A  — >  B  but  B  -f-*  A.  Then  Proposition  10.2  and  transitivity  give  each 
TTp  V(  A)  — >  B.  The  definition  of  timestamp  vector  then  gives 

7rpV(A)  7rpV(5) 


’The  vector  clocks  in  the  literature  [StYe85,  Fi88,  Jo89,  Ma89,  JoZw90,  SiKs90,  Sm91,  PeKe93,  ReGo93,  SmTy93] 
are  special  cases  of  this  result. 
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for  each  p.  Hence  \{A)  ■;<  V(5);  B  -/-»■  A  and  Lemma  10.6  make  this  inequality  strict. 

Conversely,  suppose  V(A)  -<  V(B)  and  Ajp  exists.  Then  Lemma  10.5  gives  A  =t  Xp  V(i4). 
By  hypothesis  x-p  V(/l)  Proposition  10.2  and  transitivity  then  give  A  =±  B.  But 

Lemma  10.6  and  the  inequality  of  the  vectors  forces  A  ^  B  and  B  -/-» A. 

The  case  for  rollback  vectors  is  symmetric.  □ 

Like  much  of  the  work  here,  this  theorem  applies  to  more  general  models  than  POT.  For  example, 
the  theorem  does  not  require  that  M  be  acyclic. 
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(Part  III) 


Chapter  1 1 

Real  Simultaneity 


A  timeslice  from  a  computation  graph  is  a  set  of  logically  concurrent  events.  Does  this  logical  si¬ 
multaneity  imply  real  simultaneity?  That  is,  how  do  timeslices  correspond  to  the  real  instantaneous 
system  states  in  the  underlying  physical  computation?  Clearly,  a  necessary  condition  is  that  the 
graph  be  produced  by  a  concrete,  grounding  generator  M.  This  way,  the  underlying  computation 
really  exists  and  the  components  of  a  timeslice  really  do  correspond  to  parts  of  this  computation. 

In  this  section  we  begin  exploring  this  relationship  for  the  parallel  models  we’ve  constructed. 

Section  11.1  forrmally  defines  our  usage  of  the  term  global  state:  in  physical  computations, 
the  system  state  at  some  instant;  in  computation  graphs,  the  representation  of  a  global  state  in  some 
computation  mapping  to  that  graph. 

Section  11.2  explores  the  relationship  between  timeslices  and  global  states  for  the  LINEAR 
model.  However,  Section  11.3  demonstrates  how  the  partial  order  model  POT  fails  to  give  the 
desired  relationships. 


11.1.  Global  States 

Global  States  in  Computations  The  term  “global  state”  admits  two  interpretations;  a  static 
one  (what’s  the  local  state  everywhere  right  now?)  and  a  dynamic  one  (what’s  everyone  doing 
right  now?). 

Our  work  allows  both  interpretations.  “Right  now”  presumably  denotes  some  instant  of  real 
time — for  computation  T  =  {{to,  sq),  ...,  {tk,  sk)),  some  instant  t  in  the  closed  interval  [to,  tk]-  In 
terms  of  computation  graphs,  the  most  accurate  picture  we  can  obtain  of  the  system  at  time  t  is  the 
set  of  atoms  for  time  t  in  the  ground-level  graph. 


Definitionll.1  A  global  state  in  atraccT  =  ((to,5o),  •••,(^fc,-sjt))isthesetofatoms 
in  the  ground-level  graph  of  T  representing  system  activity  at  some  time  t  G  [to,  tfc]. 
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For  example,  in  Figure  1 1.1,  the  highlighted  node  and  edge  in  the  ground-level  computation 
graph  a  constitute  a  global  state,  corresponding  to  real  time  t. 


Global  States  In  Modeled  Computations  A  set  ^  together  with  a  grounding  generator 
induces  a  map  from  atoms  in  Q  back  to  atoms  in  ground-level  graphs.  This  induced  map  gives  an 
easy  way  to  define  when  sets  of  Q  atoms  describe  a  true  simultaneous  moment  in  an  underlying 
trace. 


Definition  1 1 .2  Let  M  be  a  grounding  generator  of  set  Q  and  let  ^  A  set  5  of 
atoms  in  ^  represents  a  global  state  when  for  some  a  e  M~*(y9): 

•  ( M,  O'  )(5)  contains  a  global  state  in  a 

•  but  no  proper  subset  of  5  does. 


For  example,  in  Figure  1 1 . 1 ,  the  highlighted  nodes  in  the  LINEAR  graph  ^  minimally  represent 
the  highlighted  global  state  in  the  ground-level  graph  a. 

Definition  1 1.2  includes  two  subtleties  deserving  special  emphasis. 

Global  states  do  not  necessarily  occur  A  global  state  in  a  computation  graph  corresponds 
to  a  real  global  state  in  some  physical  computation  that  maps  to  that  graph — not  necessarily 
the  physical  computation  really  in  progress. 

Global  states  depend  on  the  model  Talking  about  how  an  event  set  in  a  graph  corresponds 
to  reality  requires  talking  about  how  the  graph  corresponds  to  reality.  Thus  talking  about 
global  states  requires  specifying  (at  least  implicitly)  a  grounding  generator  for  that  graph. 


Whether  we  allow  static  global  states  or  dynamic  global  states  depends  on  whether  our  model 
allows  passive  events  like  idle,  and  whether  we  are  exploring  states  as  sets  of  atoms  or  strictly  sets 
of  events. 


A  Schema  for  Examining  Models  If  timeslices  are  doing  their  job,  then  they  should  describe 
exactly  the  interesting  global  states  in  the  graphs  a  model  produces.  Considering  this  issue  yields 
some  questions: 

•  What  are  the  interesting  global  states? 

•  Do  timeslices  minimally  represent  these  states? 

•  Do  any  other  event  sets  minimally  represent  these  states? 

•  Are  there  any  of  these  states  that  cannot  be  minimally  represented  by  event  sets? 
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Figure  11.1  Global  states  arise  from  real  simultaneity;  event  sets  that  minimally 
represent  global  states  arise  from  the  representational  aspect  of  time  models.  The 
space-time  region  on  the  bottom  describes  some  computation,  whose  ground  level 
computation  graph  is  a.  Graph  p  is  the  image  of  a  under  the  model  LINEAR.  Set  Z 
is  the  region  of  space-time  corresponding  to  the  real  time  f,  the  edge  and  event  of 
Y  comprise  the  global  state  in  a  corresponding  to  Z.  We  follow  the  representation 
lines  (dashed)  to  obtain  X,  the  event  set  in  that  minimally  represents  this  global 
state. 
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If  the  model  in  qtKstion  happens  to  be  parallel,  we  have  yet  another  questicm; 

•  Is  each  timeslice  a  consists '^it  cut? 

A  global  state  is  a  simultaneous  moment  in  a  computation,  perceived  through  tte  granularity 
of  a  ground-level  computation  gnq)h.  In  this  paper,  we  use  the  crude  criteria  that  a  global  state  is 
“interesting”  w  hen  any  part  of  its  action  is  part  of  a  “thing  that  happens”  in  a  model.  That  is,  if  a 
model  creates  an  event  that  represents  part  of  the  global  state  X,  then  X  is  relevant  to  that  model. 
So  the  model  should  be  be  able  to  talk  about  it. 

This  criteria  answers  the  first  question  from  the  above  list.  We  can  easily  answer  the  last 
question:  if  a  timeslice  is  not  a  consistent  cut,  then  it  represents  no  activity  at  some  process 
p — hence  it  cannot  represent  a  global  state. 

In  Section  1 1.2  and  Section  1 1.3  we  explore  whether  the  timeslices  from  LINEAR  and  POT 
describe  exactly  these  interesting  global  states.  The  remaining  questions  from  the  above  list  form 
a  schema  for  this  exploration. 


1 1 .2.  Timeslices  and  Global  States  in  Linear  Time 


The  case  for  LINEAR  is  extremely  straightforward. 

Theorem  11.3  Suppose  LINEAR  generates  graph  7.  If  a  set  of  events  X  in  7  is  a 
timeslice  in  7,  then  X  minimally  represents  a  global  state. 

Proof  Consider  a  ground-level  graph  that  is  a  pre-image  of  7.  Hmeslices  exactly  represent  either 
the  initial  global  state,  the  final  global  state,  or  the  global  state  between  photos  when  something 
happens.  (The  definition  of  trace  ensures  that  when  two  actions  happen  between  photos,  they 
happen  simultaneously).  □ 


Theorem  1 1 .4  Suppose  LINEAR  generates  graph  7.  If  a  set  of  events  X  from  7 
minimally  represents  a  global  state,  then  X  is  a  timeslice  in  7. 

Proof  This  follows  from  two  facts.  First,  a  strict  subset  of  a  timeslice  cannot  describe  all 
processes.  Second,  if  A  — >  B  in  LINEAR  then  the  space-time  regions  of  A  and  B  have  disjoint 
time  ranges.  So,  such  an  X  must  touch  all  processes  and  be  mutually  concurrent.  □ 


Theorem  11.5  Let  X  be  a  global  state  from  ground-level  graph  a.  If  an  event 
in  LINEAR(a)  represents  any  part  of  X,  then  a  timeslice  in  LINEAR(a)  minimally 
represents  X. 
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Proof  This  fact  is  clear  from  the  construction  of  LINEAR  graphs.  We  create  events  in  rows,  one 
for  each  process,  in  accordance  with  the  time  periods.  The  timeslices  are  the  rows.  □ 


Theorem  11.6  In  any  graph  produced  by  LINEAR,  each  timeslice  is  a  consistent 
cut. 


Proof  This  follows  directly  from  the  proof  of  Theorem  1 1 .5  above.  □ 


11.3.  Timeslices  and  Global  States  in  Partial  Order  Time 


Section  11.1  provides  a  schema  to  establish  that  timeslices  express  simultaneity  in  parallel  models. 
This  schema  fails  for  POT. 


Failure  Consider  an  execution  where  process  p  sends  a  message  to  process  q.  Process  q  receives 
this  message  and  returns  a  response  to  process  p,  who  then  receives  the  response.  In  the  POT  graph 
of  this  execution  (see  Figure  1 1.2),  the  singleton  consisting  of  process  9’s  send  is  a  timeslice.  But 
this  timeslice  cannot  represent  a  global  state  because  it  says  nothing  about  process  p;  no  event  set 
minimally  represents  the  global  state  containing  process  q's  send. 


Limited  Success  We  can  establish  some  limited  results.  Mutually  concurrent  events  in  POT 
represent  part  of  a  global  state:  in  some  underlying  computation,  mutually  concurrent  events  are 
simultaneous. 

Lemma  1 1 .7  Let  7  be  the  POT  image  of  a  ground-level  graph.  If  set  of  events  X 
is  mutually  concurrent  in  7  then  X  minimally  represents  a  subset  of  a  global  state. 


Figure  1 1 .2  The  shaded  event  is  a  timeslice  in  POT;  however,  this  timeslice  does 
not  represent  a  global  state,  as  it  says  nothing  about  activity  at  process  p. 
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Proof  Obtain  a  ground-level  graph  in  POT“*(7)  as  follows.  First,  assign  integers  to  the  nodes 
in  7  by  setting  each  element  of  X  to  0,  setting  each  A  following  X  to  be  one  greater  than  the 
maximum  values  of  its  ancestors  in  POT,  and  each  A  before  X  to  one  less  than  the  minimum  value 
of  its  successors.  Since  POT  is  acyclic,  this  operation  is  well-defined.  Secondly,  add  j  to  the  value 
of  the  nodes,  where  —j  is  the  value  on  L.  Let  be  the  resulting  value  on  T.  By  Axiom  3.1, 
a  computation  exists  with  X  photos  at  t  =  0,  T  photos  as  t  =  k,  and  (for  remaining  nodes  foo, 
marked  with  integer  v)  the  appropriate /<?<?  actions  occurring  in  the  time  interval  (u,  v  -I- 1 ). 

Construct  the  ground-level  graph  for  this  computation.  The  events  in  X  represent  a  subset  of 
the  ground-level  graph  events  for  ( j,  j  -I- 1 ).  □ 

Thus,  the  timeslices  that  are  consistent  cuts  in  fact  represent  global  states: 


Theorem  1 1 .8  Consistent  cuts  in  POT  minimally  represent  global  states. 

Proof  Let  7  be  a  POT  graph,  and  let  X  be  a  consistent  cut  from  7.  By  definition,  X  describes 
activity  at  every  process.  By  Lemma  1 1.7,  there  exists  a  ground-level  graph  in  POT~'  (7)  in  which 
X  minimally  represents  a  set  of  simultaneous  events.  Since  this  set  must  span  all  of  space,  it  must 
be  a  global  state.  □ 
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(Part  III) 


Chapter  1 2 

View-Completeness 


In  Section  1 1 .3,  we  saw  that  a  very  simple  parallel  pair  will  produce  timeslices  that  neither  represent 
global  states  nor  derive  from  consistent  cuts. 

Consider  again  the  POT  graph  from  Figure  11.2.  The  graph  fails  because  process  p  goes 
directly  from  the  send  event  to  the  receive  event.  The  p-send  precedes  the  receive  at  process  q;  the 
p-receive  follows  it.  Hence  no  event  at  p  can  be  concurrent  with  the  q-receive — even  though  process 
p  actually  “experienced”  a  moment  of  concurrency:  the  edge  from  the  p-send  to  the  p-receive. 

In  this  section,  we  explore  the  deeper  issues  at  work  here.  We  develop  the  concept  of  view- 
completeness:  if  an  atom  at  a  process  affords  an  external  temporal  view,  then  an  event  at  that 
process  affords  the  same  view.  In  Section  12.1  we  develop  tools  for  dealing  with  ordering  edges; 
in  Section  12.2  we  define  view-completeness;  and  in  Section  12.3  we  explore  the  implications  of 
view-completeness  for  timeslices. 


1 2.1 .  Tools  for  Edges 

Isolating  Transition  Edges  We  begin  by  introducing  a  tool  to  move  from  one  event  to  its 
successor  and  to  its  predecessor: 

Definition  12.1  Let  A  be  an  event  from  graph  a.  Suppose  there  exists  a  unique  B 
in  a  such  that  A  — >  B:  we  will  denote  this  event  by  next(A) . 

Define  prev(A)  similarly. 

If  an  event  has  unique  neighbors,  then  these  neighbors  must  lie  on  ail  precedence  paths: 

Proposition  1 2.2  Let  A  be  an  event  from  graph  a. 

1.  If  next(A)  exists,  then  for  any  B  in  the  transitive  closure  a: 

A  — >  B  next(A)  B 
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2.  If  prev(  A)  exists,  then  for  any  ^  in  the  transitive  closure  a: 

B  — >  A  ==>  B  =*  pr0v{A) 

Proof  All  outgoing  paths  from  A  in  a  must  start  with  the  edge  A  — *  next(  A) ;  similarly  all 
incoming  paths  must  end  with  prev(A)  — *  A.  □ 

In  a  parallel  pair,  only  non-maxima  in  the  multicomponent  are  guaranteed  to  have  successors, 
since  the  general  model  may  add  cross-process  edges.  Nevertheless,  since  a  non-maxima  in  the 
global  model  is  the  image  of  a  nonempty  set  of  non-maxima  in  the  local  model,  we  can  still  obtain 
successors  by  specifying  which  process  component  to  consider. 

Definition  12.3  Suppose  (M,M')  is  an  parallel  pair.  Let  A  be  an  event  from  a 
graph  that  M  generates,  and  let  p  €  PROC-NAMES.  If  A|p  exists,  define 

nextp(A)  =  (M/M')  ( next!  Ajp ) ) 
prev,(/l)  =  (M/M')(prev((A|,))) 

Ordering  on  Edges  We  defined  precedence  only  for  the  events  in  a  computation  graph.  But 
the  definition  extends  to  the  edges  as  well,  if  we  pretend  that  a  dummy  event  lies  inside  the  edge. 

Definition  12.4  Suppose  is  an  edge  connecting  node  E^^vo  node  £’,*  in  graph 
a.  For  node  A; 

•  Define  A  — >  E  when  A  mi  E 

•  Define  E  — >  A  when  E  «  mt  A. 

12.2.  View-Complete  Models 

We  now  use  the  tools  of  Section  12.1  to  develop  view-completeness:  when  every  edge  has  an  event 
with  the  same  view. 


External  Equivalence  First,  we  define  what  it  means  for  two  atoms  to  have  the  same  view. 

Definition  12.5  Suppose  (M,  M')  is  a  multiprocess  pair.  Suppose  A  and  B  are 
atoms  in  an  M  graph,  such  that  for  some  p  G  PROC-NAMES,  both  Alp  and  B\p 
exist.  Then  A  and  B  are  externally  equivalent  at  p,  written 

A  ^  B 


when 
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1.  In  M,  A  is  cyclic  iff  B  is  cyclic 

2.  For  any  9  ^  p  and  any  event  C  such  that  C|y  exists: 

A  — ►  C  in  M  4=^  B  — >  C  in  M 
C  — *  y4  in  M  ■4=>  C  — >  5  in  M 

Informally,  A  ^  B  when  both  are  cyclic  (never  part  of  a  timeslice)  or  acyclic,  and  both  divide 
the  atoms  from  other  processes  into  the  same  “past”  and  “future”  sets. 

View-Complete  Models  View-completeness  is  simply  the  property  of  every  edge  having  an 
externally  equivalent  event: 

Definition  12.6  Suppose  parallel  pair  (M,  M')  acts  on  graph  a.  Graph  7  =  M(a) 
is  view-complete  when  for  any  edge  £  G  7  and  p  €  PROC-NAMES,  if  E\p  exists, 
then  there  exists  a  node  ^  €  7  with  A  ^  E. 

If  M  produces  only  view-complete  graphs,  then  we  say  that  parallel  pair  (M,  M')  is 
view-complete. 

Usually  an  Endpoint  It  would  be  convenient  if  in  a  view-complete  model,  the  event  externally 
equivalent  to  a  given  edge  were  always  one  of  the  endpoints  of  the  edge.  We  can  establish  that  for 
models  meeting  a  fairly  reasonable  property,  this  will  be  the  case. 

We  start  by  defining  the  property:  when  the  model  draws  no  back-edges  or  self-loops  along 
process  components. 

Definition  1 2.7  A  multiprocess  pair  (M,  M')  with  localization  L  is  locally  acyclic 
when  for  any  A,  B: 

A  £  in  L  ==>■  B  -/-*  A  in  M 

We  call  this  property  “locally  acyclic”  because  cycles  in  such  models  must  touch  more  than  one 
process: 

Lemma  12.8  Suppose  locally  acyclic  multiprocess  pair  (M,  M')  acts  on  graph  a. 

If  event  A  from  7  =  M(a)  satisfies 

•  A  < — ^  A  in  7 

•  A  Ip  exists,  for  some  p  e  PROC-NAMES 
then  there  exists  event  £  in  7  satisfying: 


•  B\q  exists,  for  some  p 


Proof  If  7  provides  a  path  from  A  to  A  that  does  not  touch  such  a  B,  7  must  have  an  edge  that 
contradicts  Definition  12.7.  □ 

As  promised,  if  the  model  is  locally  acyclic,  then  the  event  for  an  edge  must  be  an  endpoint. 

Proposition  12.9  Suppose  parallel  pair  (M,M')  is  locally  acyclic  and  view- 
complete.  If  edge  E  connects  Ej,  to  in  an  M  graph  and  E\p  exists,  then 
E  ^  E^otE  ^  E^. 

Proof  If  E  is  cyclic  in  M,  then  the  conclusion  easily  holds.  So,  assume  E  is  acyclic. 

Since  (M,  M')  is  view-complete,  a  node  A  must  exist  with  E  ^  A.  Since  the  transitive  p 
component  is  totally  ordered,  in  M'(q;)  we  have  either  A\p  Ei^lpOr  E^\p  ■=*  A\p. 

Consider  the  case  when  A\p  =*  Ei„\p.  Assume  atom  C  occurs  at  a  different  process:  for 
some  qf^p.  Cl,  exists. 

•  If  C  — *  E  then  C  — >■  A  and  hence  C  — >  E  i^. 

•  If  C  — ►  E  a,  then  C  — >  E  by  Definition  12.4. 

•  If  E  — >  C  then  easily  E^^  — *  C. 

•  If  — *  C  then  A  — *  C  and  hence  E  — y  C. 

•  If  E  a,  is  cyclic,  then  Lemma  12.8  gives  us  a  B  at  another  process  with  B  < — >  Ea,;  such 
a  B  precedes  E  and  also  follows  E  (since  B  follows  A,  and  A  ^  E.  This  violates  our 
assumption  that  E  is  acyclic,  thus  Ea.  must  be  acyclic. 

ThusE  Ea.. 

Similarly, if  E...a|p  ^=±  A|p  then  E  ~  E....,!^.  □ 


12.3.  Timeslices  in  View-Complete  Models 

View-completeness  suffices  to  provide  a  very  nice  characterization  of  timeslices. 


Preparation  First,  we  establish  that  edges  following  an  entry  in  the  timestamp  vector  of  an 
event  cannot  precede  that  event: 
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Lemma  12.10  Suppose  parallel  pair  (M,  M')  acts  on  graph  a.  Let  7  =  M(a)  and 
^  =  M'(a). 

Let  i4  be  an  event  in  7,  let  p  €  PROC-NAMES,  and  let  edge  E  from  7  have  E\p 
nonempty.  If  Kp  \iA)  is  defined,  then 

(TTp  V(i4))|j5 — *E\pin^  £-/->Ain7 

If  7rpR(A)  is  defined,  then 

E\p  ^  {i^pVLiA))\p  in'^  A-hEin^ 

Proof  Let  B  =  Xp  V(  A),  let  E  connect  B  to  C,  and  let  B',  E'  and  C  be  their  process  p  images 
in  /?.  If  E  — >  A  then  C  z=±  A  (by  Definition  12.4),  but  B'  — *  C  in  the  transitive  p  component. 
Hence  B  could  not  have  been  the  p  entry  of  the  timestamp  vector.  The  rollback  case  is  similar.  □ 


The  Main  Result  With  view-completeness,  timeslices  are  exactly  the  consistent  cuts. 

Theorem  12.11  (View-Completeness)  Suppose  (M,  M')  is  a  transitively-bounded 
view-complete  parallel  pair.  Then  M-timeslices  are  consistent  cuts. 

Proof  Let  (M,  M')  act  on  graph  a,  with  7  =  M(o)  and  0  =  M'(a). 

Clearly  the  bounding  singletons  are  timeslices,  and  no  other  timeslice  can  contain  a  bounding 
node.  So  let  X  be  a  timeslice  different  from  the  bounding  singletons.  Since  X  is  a  partial  cut,  if 
X  is  not  a  consistent  cut  then  some  process  p  must  not  be  represented. 

We  will  now  demonstrate  that  this  can  never  be  the  case,  by  showing  that  if  process  p  is  not 
represented,  then  X  could  not  have  been  a  timeslice. 

Assume  process  p  is  not  represented  in  X.  Define  events  A  and  B  as  follows: 

A  =  TTp  {UcexV(C)) 

B  =  TTp  (ncexR(C)) 

If  B  A,  then  X  cannot  be  a  timeslice.  So  it  must  be  the  case  that  A|p  properly  precedes 
B\p  in  the  transitive  p  component.  Hence  A  cannot  be  the  maximum,  so  let  E  be  the  edge  in  7 
connecting  A  to  nextp(  A) .  The  edge  E\p  exists  and  satisfies 

A\p  E\,  By 

in  0.  By  Lemma  12.10,  can  neither  precede  nor  follow  any  event  in  X. 

Further,  if  E  were  cyclic,  then  nextp(A)  — >  A  (by  Definition  12.4),  hence  nextp(A)  would 
appear  in  the  relevant  timestamp  vector  rather  than  A.  Thus  E  is  not  cyclic. 
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Since  (M,  M')  is  view-complete,  an  acyclic  event  D  must  exist  in  7  with  D  ^  E,  hence 
X  U  {£)}  is  mutually  concurrent.  Since  D  touches  p  (by  definition  of  external  equivalence), 
D  ^  X.  Thus  X  could  not  have  been  a  timeslice.  □ 

Chapter  13  repairs  POT  by  forcing  it  to  be  view-complete.  Chapter  14  considers  more  deeply 
the  implications  of  the  View-Completeness  Theorem  (Theorem  12.1 1). 
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(Part  III) 

Chapter  1 3 

Real  Simultaneity  and 
View-Complete  Partial  Order  Time 


This  chapter  uses  the  results  of  Chapter  12  to  revise  the  POT  model  so  that  it  exhibits  the  correct 
timeslice  behavior.  We  offer  two  approaches,  both  of  which  hinge  on  forcing  POT  to  be  view- 
complete.  In  Section  13.1,  we  restrict  the  input  graphs  so  that  only  well-behaved  graphs  come  out; 
in  Section  13.2  we  explicitly  insert  place-holder  events.  In  Section  13.3,  we  demonstrate  that  these 
fixes  work. 


13.1.  One  Fix:  Restrict  the  Domain 


One  approach  is  simply  to  restrict  the  domain  of  graphs  to  which  POT  applies. 

Definition  13.1  Define  the  restricted  partial  order  time  model  RPOT  to  be  the 
model  POT,  restricted  to  ground-level  graphs  whose  images  are  view-complete.  That 
is,  RPOT  =  POT,  on  the  domain 

V  =  {a  :  POT(a)  is  view-complete} 


13.2.  Another  Fix:  insert  the  Necessary  Events 

A  more  general  technique  to  see  that  any  transitively-bounded  parallel  model  is  view-complete  is 
to  insert  place-holder  events  into  the  the  edges  between  consecutive  events  at  a  process. 

For  parallel  pair  (M,  M'),  we  need  to  do  this  insertion  both  in  the  M  graph  and  in  the  M' 
graph.  But  since  M',  M'  is  trivially  a  parallel  pair,  we  can  use  the  same  operator  for  both. 

Definition  13.2  Suppose  parallel  pair  (M,  M')  acts  on  graph  a.  Let  7  =  M(q) 
and  /3  =  M'(a). 
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Define  the  place-holding  model  PH  on  such  7  as  follows.  First,  create  a  copy  of  7, 
with  each  atom  representing  itself.  Then,  for  each  edge  £  in  7  with  £1m'  nonempty: 

•  Delete  edge  E  from  the  copy. 

•  Add  to  the  copy  a  new  intermediate  node  {A  ||  B)  representing  the  deleted  edge, 
where  A  and  B  are  the  nodes  that  E  connects  in  7. 

•  Add  to  the  copy  two  ghost  edges:  A  — » (A  {|  B)  and  {A  ||  B)  — »  B 

The  place-holding  model  acts  exactly  as  desired: 

Theorem  13.3  If  (M,  M')  is  a  parallel  pair,  then 

(PH  o  M),  (PH  o  M') 
is  a  view-complete  parallel  pair. 

Proof  This  result  follows  directly  from  the  definitions.  The  PH  model  just  adds  intermediate 
nodes  and  die  appropriate  edges,  and  does  the  same  things  both  to  M  and  to  M'.  Any  edge  from 
M'  now  is  split  into  two  edges  surrounding  an  intermediate  node,  and  this  new  node  is  externally 
equivalent  to  these  edges.  □ 

Figure  13.1  illustrates  this  behavior. 

(Strictly  speaking,  to  make  POT  view-complete,  we  only  need  to  insert  intermediate  nodes  into 
TIMELINES  edges  from  send  events  to  receive  events.  Further,  these  insertions  are  sufficient  but 
still  not  necessary — consider  messages  that  carry  no  new  ordering  information.) 

Applying  PH  also  preserves  transitive  bounding. 

Proposition  13.4  PH  O  M  is  transitively  bounded  iff  M  is  transitively  bounded. 

Proof  Inserting  intermediate  events  does  not  change  the  extrema.  □ 

1 3.3.  These  Fixes  Work 


Once  modified  to  be  view-complete,  the  POT  model  exhibits  the  desired  timeslice  behavior. 

Definition  13.5  Define  the  model  PPOT  to  be  the  composition  PH  o  POT. 

Theorem  13.6  Suppose  PPOT  or  RPOT  generate  graph  7.  If  a  set  of  events  X  in 
7  is  a  timeslice  in  7,  then  X  minimally  represents  a  global  state. 
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Figure  13.1  We  apply  PH  to  a  parallel  pair  (M,M').  JThis  action  preserves  the 
parallelism:  PHoM  is  still  parallel,  with  multicomponent  PH  oM'.  Further,  the  action 
ensures  view-completeness — each  edge  now  has  a  place-holder  edge. 


Proof  This  fact  follows  directly  from  Theorem  11.8  and  the  View-Completeness  Theorem 
(Theorem  12.11).  □ 


Theorem  13.7  Suppose  PPOT  or  RPOT  generates  graph  7.  If  a  set  of  events  X 
from  7  minimally  represents  a  global  state,  then  X  is  a  timeslice  in  7. 

Proof  A  (nontrivial)  global  state  maps  to  a  full  cut  X  in  PPOT  (or  RPOT,  respectively).  Since 
MSG  edges  and  PH  o  TIMELINE  edges  go  strictly  forward  in  time,  X  must  be  consistent.  □ 


Theorem  13.8  Let  X  be  a  global  state  from  ground-level  graph  q.  If  an  event  in 
PPOT(a)  represents  any  part  of  X,  then  a  timeslice  in  PPOT(q)  minimally  represents 
X;  similarly  for  RPOT(a). 


Proof  This  theorem  follows  directly  from  the  proof  for  Theorem  13.7.  □ 
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(Part  ill) 

Chapter  1 4 

Timeslices  and  View-Completeness 


This  chapter  explores  the  structure  of  timeslices  in  view-complete  parallel  pairs. 

Section  14.1  introduces  terms  for  two  more  varieties  of  multiprocess  pairs.  Section  14.2 
presents  a  convenient  extendibility  property  that  follows  from  the  View-Completeness  Theorem 
(Theorem  12.11).  Section  14.3  introduces  an  alternate  form  of  timestamp  and  rollback  vectors; 
Section  14.4  uses  these  alternate  forms  to  characterize  timeslices. 


1 4.1 .  Two  New  Types  of  Models 

Since  this  chapter  will  build  on  the  View-Completeness  Theorem  (Theorem  12.1 1),  we  now  define 
a  short  term  summing  up  the  conditions  of  that  theorem: 

Definition  14.1  if  two  models  (M,  M')  are  a  view-complete  parallel  pair,  and  M 
is  transitively  bounded,  then  we  say  that  (M,  M')  is  a  consistent  pair. 

The  View-Completeness  Theorem  (Theorem  12.11)  inspires  this  term:  timeslices  are  consistent 
cuts. 

Section  14.4  uses  an  additional  property:  that  the  process  components  appear  independently  in 
the  global  model. 

Definition  1^  A  multiprocess  pair  (M,M')  is  independent  when,  in  any  graph 
generated  by  M,  any  atom  (except  a  bounding  node)  represents  exactly  one  atom  in 
exactly  one  component  model  in  M'. 


14.2.  Extendibility 

The  View-Completeness  Theorem  (Theorem  12.1 1)  yields  the  following  as  an  easy  consequence. 
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Theorem  14.3  (Extendibility)  Suppose  consistent  parallel  pair  (M,  M')  generates 
graph  7.  Any  set  X  of  mutually  concurrent  events  from  7  extends  to  a  consistent  cut: 
that  is,  a  consistent  cut  X'  exists  with  X  C  X\ 

Proof  Such  a  set  X  extends  to  a  maximal  concurrent  set  X'.  From  the  View-Completeness 
Theorem  (Theorem  12. 1 1),  X'  must  a  consistent  cut.  □ 

Hence  any  acyclic  event  is  part  of  a  consistent  cut,  and  we  can  find  timeslices  using  a  greedy 
algorithm:  just  keep  appending  mutually  concurrent  events. 


14.3.  Extremal  Timeslices 


From  the  Extendibility  Theorem  (Theorem  14.3),  we  know  that  any  acyclic  event  naturally  extends 
to  a  timeslice.  From  the  the  View-Completeness  Theorem  (Theorem  12.11)  we  know  that  this 
timeslice  will  be  a  consistent  cut.  From  Theorem  9.21  we  know  these  consistent  cuts  form  a  lattice. 
Since  things  are  finite,  this  set  has  a  unique  maximum  and  a  unique  minimum. 

Section  14.3.1  constructs  these  extremal  consistent  cuts:  they  are  the  timestamp  and  rollback 
vectors,  slightly  adjusted.  Section  14.3.2  proves  that  the  event  sets  of  these  adjusted  vectors  are 
indeed  the  extremal  cuts.  (Section  14.4  will  use  these  adjusted  vectors  to  characterize  arbitrary 
timeslices.) 


14.3.1 .  Adjusted  Timestamp  Vectors  and  Adjusted  Rollback  Vectors 

The  timestamp  vector  of  an  event  consists  of  the  maximal  event  from  each  process  that  precedes 
or  equals  that  event.  Suppose  acyclic  event  A  occurs  at  exactly  one  place:  process  p.  Then  the  p 
entry  from  V(i4)  equals  A.  We  obtain  the  adjusted  timestamp  vector  by,  for  each  q  ^  p,  replacing 
the  process  q  entry  of  V(/l)  with  the  minimal  event  equivalent  to  its  local  successor  edge.  Barring 
local  cycles,  we  just  take  the  tt,  V(  A)  entry  and  adjust  it  one  event  forward.  In  the  more  general 
case  that  A  occurs  at  multiple  processes,  then  we  only  slide  forward  the  events  at  the  processes  that 
A  does  not  touch. 

We  define  adjusted  rollback  vectors  symmetrically  by  adjusting  backward  the  entries  from  the 
rollback  vector.  For  each  q  ^  p,wc  replace  the  process  q  entry  of  R(A)  with  the  maximal  event 
equivalent  to  its  local  predecessor  edge. 

Definition  14.4  Suppose  consistent  parallel  pair  (M,  M')  acts  on  graph  a.  Let  A 
be  an  acyclic  non-bounding  event  from  7  =  M(a);  let  0  =  M'(q!). 

Construct  the  adjusted  timestamp  vector  V*(7,  M,  M',  A)  from  V(/l)  as  follows.  For 
each  p  G  PROC-NAMES  such  that  A\p  does  not  exist: 
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•  Let  £  be  the  edge  from  Vp  V(y4)  to  nextp((jrp  V(i4))) . 

•  Replace  Xp  V(>1)  by  the  p-minimum  from 

{C  :  C  ^  E) 

Define  the  adjusted  rollback  vector  R*  similarly,  using  prev(p)  (xpR(A))  and  the 
p-maximum.  As  with  ordinary  timestamp  vectors,  we  will  truncate  the  cumbersome 
parameter  list  whenever  possible. 

Definition  14.4  works:  the  entries  of  the  adjusted  timestamp  vectors  and  adjusted  rollback 
vectors  exist. 

Proposition  14.5  Suppose  consistent  parallel  pair  (M,  M')  acts  on  graph  a.  Let 
A  be  an  acyclic  non-bounding  event  from  7  =  M(q;);  let  /?  =  M'(a).  All  entries  of 
V*(A)  and  R*(  A)  are  defined. 

Proof  If  V(  A)  contains  the  7  maximum,  then  A  must  be  the  maximum.  From  this  observation 
and  from  Proposition  8.10,  if  A  is  non-bounding,  then  no  (xpV(A))|p  is  the  p-maximum  in  jj. 
Hence  such  an  edge  E  exists,  and  because  (M,  M')  is  view-complete,  the  set  must  be  nonempty. 
By  definition  of  ~ ,  each  event  in  the  set  must  touch  the  p  component.  The  rollback  case  is 
similar.  □ 

Figure  14.1  distinguishes  between  timestamp  vectors  and  adjusted  timestamp  vectors. 

Adjusting  vectors  only  is  complicated  when  events  can  occur  at  multiple  processes  or  the  view- 
complete  event  for  an  edge  is  not  an  endpoint.  Since  neither  of  these  facts  apply  to  PPOT  or  RPOT, 
adjusting  vectors  in  these  models  is  fairly  simple. 


14.3.2.  The  Extremal  Timesiice  Theorem 

If  event  A  is  acyclic,  then  at  every  process  where  A  does  not  occur,  the  timestamp  vector  entry 
must  precede  the  rollback  vector  entry. 

Let  p  be  such  a  process.  At  p,  the  first  edge  after  the  timestamp  entry  and  the  last  one  before 
the  rollback  entry  must  both  be  concurrent  with  A.  We  select  the  V*  and  R*  entries  by  finding  the 
minimal  and  maximal  externally  equivalent  events  (respectively) — hence  the  V*  and  R*  entries  are 
respectively  the  minimal  and  maximal  p  events  concurrent  with  A. 

Consequently,  the  adjusted  vectors  give  the  bounds  of  the  lattice  of  consistent  cuts  containing 
an  event: 

Theorem  14.6  (ExtremalTimeslices)  Suppose  consistent  parallel  pair  (M,  M')  acts 
on  graph  q.  Let  7  =  M(o). 


Ill 


V(A)  \*(A) 


Figure  14.1  For  an  event  A,  the  timestamp  vector  V(/l)  is  its  information  horizon: 
the  latest  event,  at  each  process,  that  A  may  have  heard  about.  The  adjusted  time- 
stamp  vector  V*(/l)  is  just  the  timestamp  vector,  advanced  one  position  everywhere 
except  global  event  A. 
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If  >1  is  an  acyclic  non-bounding  event,  then 

{B  €  V*(A)}  =  n{  A" :  A  is  a  consistent  cut  containing  A} 

{B  ^  R*(  A)}  =  U{  A  :  A  is  a  consistent  cut  containing  A} 

Proof  If  A  touches  every  process,  then  V*(  A)  =  R*(A)  and  every  entry  is  A.  This  set  is  mutually 
concurrent  because  A  is  acyclic.  Because  the  process  components  are  totally  ordered,  this  can  be 
the  only  timeslice. 

So,  assume  that  there  exists  a  process  p  6  PROC-NAMES  such  that  A\p  does  not  exist.  Let 
B  =  TTp  V(A)  and  C  =  iTp  R(A),  From  Theorem  10.4,  no  event  D  touching  p  and  concurrent  with 
A  can  have  D  z=z±  B  or  C  D.  If  C  B,  then  A  cannot  be  acyclic.  So  it  must  be  the  case 
that  B\p  properly  precedes  C\p  in  the  transitive  p  component.  Let  Eb  be  the  edge  connecting  B 
to  nextp(B)  in  7,  and  Ec  be  the  edge  connecting  preVp(C)  to  C.  Edge  Eb  is  concurrent  with  A 
and  and  acyclic: 

•  Concurrent.  If  Eb  precedes  A,  then  the  out  node  of  Eb\p  in  /3  would  be  the  p  V(A)  entry, 
rather  than  the  in  node.  But  Eb  follows  A,  then  by  Definition  12.4  B  A,  which  would 
give  that  A  < — ►  B  and  hence  A  is  cyclic. 

•  Acyclic.  If  Eb  were  cyclic,  then  nextp(B)  — >  B  and  thus  B  would  not  be  the  p  entry  in 
V(/l). 

Hence  {vp  V*(  A),  A}  is  a  mutually  concurrent  set  in  7,  and  so  can  be  expanded  to  a  consistent  cut, 
but  no  event  preceding  Wp  V*(  A)  in  the  p  component  can  be  part  of  a  timeslice  with  A. 

The  case  for  Wp  R*(  A)  is  similar.  □ 

Definition  14.4  defined  adjusted  timestamp  vectors  and  adjusted  rollback  vectors  as  vectors: 
arrays  of  events.  The  Extremal  Timeslice  Theorem  (Theorem  14.6)  establishes  that  these  vectors 
possess  even  more  structure:  their  event  sets  are  both  cuts  and  timeslices. 

Corollary  14.7  The  event  sets  of  V*(A)  and  R*(A)  are  consistent  cuts. 

Proof  The  □  and  U  operations  preserve  consistent  cuts.  □ 

Consequently,  we  can  now  regard  V*(A)  a-id  R*(A)  as  simply  event  sets — since  projection 
will  never  be  ambiguous. 


14.4.  Characterizing  Timeslices 

The  Extremal  Timeslice  Theorem  (Theorem  14.6)  tells  us  that  the  adjusted  timestamp  vector  for 
an  event  gives  us  the  minimal  timeslice  containing  that  event.  One  might  conjecture  that  any 
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timeslice  can  be  obtained  this  way,  but  this  conjecture  is  false.  Figure  14.2  sketches  a  simple 
counter-example. 

If  this  conjecture  were  to  hold  in  general,  then  every  timeslice  X  would  have  to  possess  some 
event  A  that  forces  of  each  remaining  B  €  X  to  be  part  of  X — where  event  A  forces  an  event  B 
when  B  ^  A  and  B  e  V*(i4). 

The  conjecture  fails  because  acyclic  events  can  be  mutually  concurrent  without  forcing  each 
other.  However,  we  can  express  this  forcing  relation  with  a  time  model.  If  our  consistent  parallel 
pair  is  acyclic  and  independent,  then  the  forcing  model  will  form  an  acyclic  independent  parallel 
pair. 

This  insight  yields  two  results; 

Unique  Signatures  Suppose  X  is  a  timeslice.  It  is  not  true  in  general  that  X  is  the  adjusted 
timestamp  vector  of  one  entry.  However,  it  is  trivially  true  that  X  equals  the  join  of  the 
adjusted  timestamp  vectors,  over  all  elements  of  X. 

X  =  U{V(>1)  :  AeY) 

If  we  removed  elements  from  Y  one  by  one,  when  would  this  relation  stop  holding?  We  can 
establish  that  there  is  a  unique  Y  C  X  such  that  the  relation  holds  for  Y,  but  does  not  hold 
for  any  proper  subset  of  Y. 

Meta-Timesiices  A  set  of  events  is  such  a  “timeslice”  signature  iff  it  is  a  mutually  concurrent  set 
in  the  forcing  model.  Consequently,  a  timeslice  of  k  event",  in  the  forcing  model  expresses 
2*^  timeslices  in  the  original  model. 

In  Section  14.4.1,  we  define  the  FORCE  model,  to  capture  when  an  event  forces  another.  In 
Section  14.4.2  we  establish  a  series  of  lemmas  about  the  FORCE  model  and  the  parallel  pairs  it 
induces.  We  use  these  lemmas  to  establish  our  main  result  in  Section  14.4.3. 


Figure  14.2  Timeslice  X  =  {A,B}  equals  neither  V’'(A)  nor  V*(B).  This 
example  disproves  the  conjecture  that  the  Extremal  Timeslice  Theorem 
(Theorem  1 4.6)  might  characterize  all  timeslices. 
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14.4.1 .  A  Model  to  Express  Forcing 


We  define  a  model  that  copies  each  cross-process  edge  in  the  single-step  global  model  and  slides 
the  in-node  one  event  forward. 

Definition  14.8  Suppose  independent  parallel  pair  (M,  M')  acts  on  graph  a.  Let 

7  =  M(a)  and  =  M'(q). 

Define  the  model  FORCE  on  7  as  follows: 

•  copy  7;  let  each  atom  here  represent  itself. 

•  for  each  pair  of  non-bounding  nodes  A,  B  such  that: 

-  A  — >  in  7 

-  A  occurs  at  process  p  but  B  does  not. 

add  a  ghost  edge  from  nextp(/4)  to  B  in  the  copy. 

For  example,  to  construct  FORCE  o  POT  we  copy  the  POT  graph,  and  then  for  each  send  whose 
receive  is  at  a  different  process,  we  draw  an  edge  from  the  successor  of  the  send  to  the  receive. 

The  remainder  of  Section  14.4  establishes  that  FORCE  captures  the  forcing  discussed  earlier. 
Figure 14.2  illustrated  this  fact:  the  counter-example  timeslice  X  remains  a  timeslice  even  if  we 
apply  FORCE — indicating  that  neither  event  forces  the  other. 


14.4.2.  Preparation 

First,  we  show  that  applying  FORCE  preserves  independence  and  parallelism. 

Lemma  14.9  Suppose  (M,M')  is  an  independent  consistent  parallel  pair.  Then 
((FORCE  o  M),  M')  is  an  independent  transitively-bounded  parallel  pair. 


Proof  This  is  clear  from  the  definitions.  The  only  tricky  part  is  showing  that  FORCE  o  M  is 
bounded. 

Suppose  FORCE  adds  edge  nextp(i4)  — >  B.  and  nextp(i4)  was  the  global  maximum.  Let 
E  be  the  edge  from  A  to  nextp(A) .  E  is  concurrent  with  B,  but  no  node  at  p  is.  Hence  (M,  M') 
could  not  be  view-complete.  □ 

The  FORCE  model  does  not  preserve  consistency  because  the  resulting  model  may  not  be 
view-complete.  Consider  the  PPOT  model.  If  only  an  intermediate  event  keeps  a  send  from 
immediately  preceding  a  receive,  then  FORCE  will  slide  the  in-node  of  the  message  edge  up  to 
the  intermediate  event.  The  edge  from  the  intermediate  event  to  the  receive  will  then  have  no 
externally  equivalent  event. 
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We  can  use  view-completeness  to  show  that  a  path  in  7  can  always  be  extended  on  the  end  with 
F0RCE(7)  edges: 

Lomma  14.10  Suppose  independent  consistent  parallel  pair  (M,  M')  acts  on  graph 
a.  Let  7  =  M(a)  and  P  =  M'(a). 

Suppose  A  — >  in  7  and  B  — *  C  in  FORCE(7).  Then  A  — >  C  in  7. 

Proof  We  establish  the  result  assuming  B  — *  C  in  FORCE(7)  but  not  7.  The  more  general 
result  follows  easily — just  use  this  special  result  to  have  the  7  path  absorb  each  edge  in  the  7  path. 

Let  event  B  occur  at  process  p.  Then  C  must  occur  somewhere  else,  and  preVp(fi)  — y  C  in 
7.  Thus  any  event  D  at  process  p  satisfies 

D  — >  C  in  7  V  A  — y  D  in  7 

If  A  -f-y  C  in  7  then  A  -/->  preVp(fi)  and  B  -f-y  C.  Let  E  be  the  edge  connecting  preVp(B) 
to  B,  Then  A  -f-y  E  and  E  -f-*  C.  Since  (M,  M')  is  view-complete,  there  exists  an  event  D  at 
process  p  with  A  -f-y  D  and  D  C.  This  violates  the  above  condition.  □ 

However,  a  path  starting  with  a  new  FORCE  edge  only  induces  a  7  path  starting  from  the 
immediate  predecessor  of  the  path’s  first  event. 

Lemma  14.1 1  Suppose  independent  consistent  parallel  pair  (M,  M')  acts  on  graph 
a,  and  7  =  M(a). 

Suppose  non-bounding  7  event  A  occurs  at  process  p  G  PROC-NAMES.  For  any 
event  B: 

A  — y  B  in  FORCE(7)  =>■  preVp(A)  — y  B  in  7 

Proof  If  B  is  bounding,  the  result  is  trivial.  So  assume  B  is  not  bounding.  Let  9  be  the  process 
of  B.  Suppose  A  — y  B  in  FORCE(7).  Consider  the  path  from  A  to  B  in  FORCE(7): 

A  — y  B\  — y  —  — »  Bk  =  B 

If  A  — y  Bi  in  7,  then  we  easily  have  the  result; 

preVp(A)  — .  Bj  e  7 
Otherwise,  Definition  14.8  gives  the  fact: 

preVp(A)  — B,  in  7 
In  either  case.  Lemma  14.10  gives  the  fact; 


Consequently,  FORCE  preserves  the  acyclic  property. 

Lemma  14.12  Suppose  consistent  parallel  pair  (M,M')  is  independent.  If  M  is 
acyclic  then  FORCE  o  M  is  acyclic. 


Proof  Let  7  be  an  M  graph.  If  FORCE(7)  has  a  cycle,  this  must  have  come  from  a  FORCE(7) 
edge,  which  all  cross  processes.  So  there  exists  A  at  process  p  and  B  at  q  p  with  A  * — >  B  in 
F0RCE(7).  Lemma  14.11  gives  preVp(/l)  — *  B  and  prev,(B)  — »  A  in  7.  Hence  any  event 
at  p  either  precedes  B  or  follows  prev,(B)  in  7.  But  the  edge  from  preVp(  A)  to  A  does  neither, 
and  the  fact  that  (M,  M')  is  view-complete  gives  a  contradiction.  □ 

For  events  concurrent  in  the  original  model,  FORCE  precedence  is  equivalent  to  V*  forcing. 

Lemma  14.13  Suppose  independent  consistent  parallel  pair  (M,  M')  acts  on  graph 
a,  M  is  acyclic,  and  7  =  M(a). 

If  A  and  B  satisfy  A  B  in  7,  then 

/l€V*(J5)  4=>  A  — »  B  in  FORCE(7) 

Proof  Let  B  occur  at  process  p. 

From  Proposition  12.9  and  Definition  14.4,  we  know  that  the  p  entry  of  V*(5)  is  B,  but  for 
every  q  ^  p,theq  entry  is  next,((7r,  V(B))) . 

Let  A  occur  at  q  ^  p.  If  A  G  V*'(B),  then  A  -/-» 5  in  7  but  prev,(A)  — >  B  in  7,  hence 
A — >  Bin  F0RCE(7). 

If  A  — *  B  in  F0RCE(7),  Lemma  14.11  give  prev,(A)  — >  B  in  7.  Since  A  B  in  7,  we 
have  prev^(A)  =  -Kq\{B).  Hence  A  €  V*(5).  □ 


14.4.3.  The  Main  Result 


We  now  establish  the  main  result:  the  FORCE  maxima  of  a  timeslice  form  the  unique  forcing 
subset  of  that  timeslice. 

Theorem  14.14  Suppose  independent  consistent  parallel  pair  (M,M')  acts  on 
graph  a,  and  M  is  acyclic.  Let  7  =  M(a)  and  =  M'(q). 

Any  7-timeslice  X  has  a  unique  minimal  subset  Y  such  that 

X  =  U{V*(A)  :  A  G  r} 

Further,  event  set  F  is  a  such  a  minimal  subset  iff  it  is  a  mutually  concurrent  set  in 
graph  F0RCE(7). 
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Proof  Let  X  be  a  timeslice  frcrni  7.  Since  FORCE(7)  is  acyclic  (frcnn  Lemma  14.12),  let  Y  be 
the  set  of  FORCE  sinks  in  X. 

^  ™“*FORCE(,)^^^ 

For  some  p  €  PROC-NAMES,  let  B  =  VpX  and 

&  =  Tp  (U{V(A)  :  A  €  K}) 


Consider  the  two  cases: 


1.  If  5  €  Y,  then  for  any  other  C  €  Y,  we  have  B  C  in  FORCE(7).  Lemma  14.13  and 
the  fact  that  B  <-/->  C  in  7  also  gives  that  B  ^  [V*(C)].  Hence  B'  =  B. 

2.  If  B  ^  Y,  then  by  construction  of  Y  there  exists  nC  eY  with  B  — *■  C  in  FORCE(7).  By 
Lemma  14.13,  B  €  V*(C).  If  D  ^  C  from  Y  has  Xp  V*(I>)  dominating  B,  then  B  — *  D 
in  7  and  X  could  not  be  a  timeslice.  Hence  B'  =  B. 

Thus  we  establish  the  first  part  of  theorem. 

One  direction  of  the  second  part  is  easy:  by  construction  of  Y,  no  two  events  can  precede 
each  other  in  FORCE(7).  For  the  other  direction,  observe  that  Y  will  be  the  set  of  sinks  in  the  7 
timeslice  1J{V*(A)  :  A  €  Y).  □ 

This  theorem  has  another  interesting  aspect:  it  gives  us  our  first  example  of  a  useful  time  model 
different  from  the  standard  LINEAR,  POT  collection. 


Useful  Applying  FORCE  to  a  view-complete  version  of  POT  yields  a  model  whose  timeslices 
represent  large  sets  of  timeslices  in  POT. 

Different  The  LINEAR  model  follows  real  time.  The  POT  model  departs  from  real  time,  but 
still  expresses  a  chronologically  “reasonable”  temporal  order.  However,  the  FORCE  model 
explicitly  expresses  orderings  not  found  in  real  time. 
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Chapter  1 5 
Conclusion 


Chapter  1  asserted  that  distributed  systems  with  distributed  information  require  a  distributed  notion 
of  time.  Chapter  2  through  Chapter  14  then  develop  mechanisms  for  a  theory  of  distributed  time. 

This  paper  concludes  by  returning  focus  to  the  original  assertions.  Section  IS.l  summarizes 
the  mechanisms  we  developed  and  the  motivations  behind  them.  Section  1S.2  outlines  future 
research  directions:  to  demonstrate  the  power  of  this  theory  by  using  it  as  a  framework  for  secure 
applications. 


15.1.  Summary 

Distributed  Time  for  Distributed  Systems  Natural  intuition  suggests  that  time  is  linear,  and 
thus  that  we  should  organize  experience  into  a  nicely  behaved  linear  sequence  of  moments.  Recent 
thought  suggests  that  this  intuition  fails  for  asynchronous  distributed  systems,  where  information 
is  distributed  but  perception  is  delayed.  Such  distributed  environments  require  a  more  distributed 
theory  of  time. 


•  Distributed  time  provides  the  best  perceivable  approximation  of  the  underlying  linear  de 
scription,  which  asynchrony  renders  unknowable. 

•  Distributed  time  provides  a  more  appropriate  language  for  distributed  systems  concepts  not 
expressible  in  the  language  of  real  time. 


Abstracting  away  irrelevant  physical  details  to  some  convenient  notion  of  discrete  event  is  a 
common  tool.  Distributed  time  formalizes  the  notion  of  abstracting  away  irrelevant  temporal  details 
as  well.  The  tools  extend  further:  to  abstracting  away  irrelevant  or  inconvenient  computational 
detail. 


•  Distributed  time  expresses  the  conceit  that  the  computation  that  “really  happens”  differs  from 
the  computation  that  physically  occurred. 
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Laying  the  Groundwork  Our  ultimate  claim  is  that  distributed  time  clarifies  problems  and 
solutions  in  distributed  environments.  This  paper  lays  the  groundwork  for  establishing  that  claim 
by  building  the  formal  mechanisms  for  a  theory  of  distributed  time. 


•  We  built  a  standard  computation  graph  format  to  talk  about  events  and  temporal  precedence, 
and  translated  physical  descriptions  of  computation  into  ground-level  computation  graphs. 

•  We  developed  a  time  model  formalism  to  express  abstraction:  a  time  model  transforms  a 
computation  graph  to  a  more  abstract  one  whose  individual  events  and  edges  may  represent 
events  and  edges  in  the  original  graph. 

•  We  explored  some  properties  of  time  models,  and  in  particular  how  their  functional  nature 
allows  us  to  compose  them  to  build  hierarchies  of  abstraction,  and  multiple  routes  to  the 
same  graph. 

•  We  developed  parallel  pairs  of  time  models,  to  provide  two  levels  of  description  of  parallel 
computation. 

•  We  explored  the  structure  of  timeslices — event  sets  representing  points  of  logical  simultane¬ 
ity.  In  particular,  we  showed  how  timeslices  relate  to  global  states  in  real  computations, 
how  timeslices  form  a  lattice,  and  how  to  construct  time  models  to  provide  certain  timeslice 
properties. 


15.2.  Future  Work 


Establishing  that  distributed  time  is  the  appropriate  framework  for  distributed  systems  requires 
formalizing  distributed  time;  this  paper  provides  that  foundation.  This  section  discusses  how 
future  work  will  round  out  the  claim;  Section  15.2.1  discusses  the  benefits  of  using  distributed 
time.  Section  15.2.2  quickly  sketches  some  examples,  and  Section  15.2.3  outlines  further  research. 


15.2.1.  Using  Distributed  Time 

Distributed  time  provides  a  general  framework  to  think  about  problems  (and  solutions)  relating  to 
time  in  distributed  systems.  We  highlight  some  of  the  advantages: 


Orthogonality  Distributed  time  introduces  orthogonality  between  the  clocks  tracking  temporal 
relations  and  the  protocols  using  these  relations.  We  can  change  clock  implementations, 
perhaps  due  to  security  or  efficiency  requirements,  without  changing  protocols. 

Flexibility  Framing  protocols  explicitly  in  terms  of  distributed  time  allows  insight  and  extensions 
to  the  protocols. 
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Expressiveness  Freed  from  realistically  describing  computation,  distributed  time  models  can 
express  more  convenient  abstractions.  TTie  orthogonality  between  clocks  and  protocols 
extends  to  an  orthogonality  between  clocks  and  temporal  relations — we  can  change  models 
without  changing  the  way  clocks  are  called  and  used. 

Abstraction  Hierarchies  By  providing  for  hierarchies  of  related  time  models,  distributed  time 
allows  for  using  protocols  with  multiple  models  even  within  a  single  computation. 

Encapsulation  and  Unification  The  orthogonality  between  clocks  and  protocols  gains  some 
additional  advantages:  we  can  solve  once  and  for  all  the  clock  issues  we  otherwise  need  to 
solve  separately  for  each  protocol,  and  we  can  unify  in  a  single  framework  protocols  that 
separately  affect  distributed  time. 


1 5.2.2.  Qu  i ck  Sketches 

As  a  preview  of  future  publications,  we  quickly  sketch  some  examples  supporting  how  distributed 
time  might  achieve  the  benefits  we  catalog  above. 

For  these  sketches,  we  consider  two  application  problems  that  lend  themselves  to  distributed 
time. 

Snapshots  As  Chandy  and  Lamport  [ChLa85]  point  out,  the  problem  of  one  process  assembling 
a  distributed  snapshot  of  the  global  state  at  one  instant  is  difficult  when  asynchrony  prevents 
identifying  an  instant,  but  a  consistent  global  state  suffices.  Consistent  global  states  are  just 
the  timeslices  from  a  view-complete  version  of  POT. 

Rollback  If  a  process  wants  to  undo  an  event  A  and  execute  A'  instead,  all  events  that  depend  on 
A  need  to  be  undone.  Distributed  time  is  relevant  on  two  levels:  determining  what  needs  to 
be  undone  reduces  to  detecting  temporal  precedence  in  a  partial  order  model;  establishing  a 
computation  where  A'  happened  instead  of  A  requires  abstracting  from  a  POT  graph  showing 
the  rollback  to  one  showing  the  “correct”  computation. 


Considering  the  problems  of  snapshots  and  rollback  provides  some  simple  examples  of  the 
advantages  of  distributed  time. 

Orthogonality  If  we  obtain  snapshots  by  using  POT-clock  primitives  to  determine  concurrency, 
then  we  can  change  from  vector  clocks  to  logging  sites  (to  avoid  the  n  entries  in  each  vector) 
or  to  signed  vectors  (to  gain  some  degree  of  security)  without  changing  the  protocol. 

Flexibility  Almost  without  exception,  current  snapshot  protocols  use  marker-pushing  and  thus 
are  limited  to  taking  a  single,  roughly  current  snapshot.  Phrasing  the  problem  in  terms  of 
POT  relations  allows  a  protocol  using  POT-clocks,  which  immediately  gives  variations  for 
more  general  versions  of  the  problem,  such  as  off-line  snapshots,  multiple  snapshots,  and 
using  snapshots  to  detect  unstable  properties. 
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Expressiveness  Suppose  we  wanted  to  pretend  that  the  only  instantaneous  global  states  were 
those  where  no  messages  were  in  transit.  A  simple  extension  of  POT  expresses  this  conceit: 
timeslices  here  are  exactly  the  desired  global  states.  A  process  can  capture  such  a  global 
state  simply  by  using  its  favorite  snapshot  protocol  with  the  new  clock  primitives. 

Abstraction  Hierarchies  Processes  might  want  to  use  multiple  clock  suites  even  within  the 
same  computation.  A  snapshot  with  POT  clocks  provides  a  global  state;  a  snapshot  with 
FORCE  o  POT  clocks  provides  an  exponential  number  of  global  states. 

Encapsulation  and  Unification  Rollback  with  modified  replay  changes  history.  The  orthog¬ 
onality  of  clocks  and  protocols  along  with  the  single  time  framework  allows  us  to  still  take 
off-line  snapshots  using  the  same  snapshot  protocols.  The  hierarchy  of  models  give  further 
flexibility:  a  snapshot  from  the  original  graph  traps  for  potential  global  states  in  the  real 
physical  computation;  a  snapshot  from  the  revised  graph  traps  for  global  states  in  the  virtual 
physical  computation. 


15.2.3.  Research  Plan 

Current  research  consists  of  formalizing  the  points  raised  in  the  quick  sketches.  This  work  explores 
three  principal  topics: 

Distributed  Time  as  a  Framework  for  Appiications  We  need  to  formally  express  applica¬ 
tion  problems  (such  as  snapshots  and  rollback)  in  terms  of  the  distributed  time  framework. 

Clocks  for  General  Time  Models  Specifying  clock  behavior  brings  up  some  additional  issues, 
such  as  what  a  process  can  know  about  the  underlying  computation  (knowability)  and  how 
querying  about  temporal  relations  should  affect  the  temporal  relations  {observation  effects). 

Security  in  Clocks  and  Protocols  By  departing  from  real  time,  we  sacrifice  the  potential  for 
easy  hardware  verification  of  clock  values.  Encapsulation  and  orthogonality  arguments  apply 
here  too:  distributed  time  raises  security  risks,  and  protocols  that  depend  on  distributed  time 
(even  tacitly)  are  liable  to  these  risks. 

Accuracy  Do  distributed  time  clocks  accurately  report  temporal  precedence?  What  hap¬ 
pens  if  networks  or  processes  fail — or  act  maliciously? 

Confinement  Distributed  time  involves  distributing  private  information.  Can  malicious 
agents  exploit  this  information? 

This  research  project  started  with  the  first  identification  of  these  security  issues  [Sm91],  and 
will  culminate  in  a  thorough  exploration  of  security  and  distributed  time.  [Sm94] 
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Index  of  Notation 


Notation 

Description 

Page 

the  precedence  relation  on  event  sets  induced 
by  the  graph  7 

78 

precedes 

27 

precedes  or  equals 

27 

-h 

does  not  precede 

27 

mutually  precedes 

27 

mutually  precedes  or  equals 

27 

*-h 

concurrent 

27 

p 

externally  equivalent  at  p 

100 

T 

maximum  or  final  event 

32 

1 

minimal  or  initial  event 

32 

n 

meet:  the  greatest  lower  bound,  usually  used 
as  a  binary  operation 

79 

u 

join:  the  least  upper  bound,  usually  used  as  a 
binary  operation 

79 

Up 

union  of  graphs  relative  to  pairing  P 

39 

u 

union  of  models 

41 

Uo 

disjoint  union 

39,42 

= 

graph  identity 

23 

=p 

graph  identity,  enumerated  by  pairing  P 

23 

rsj 

graph  isomorphism 

23 

r>j 
—  P 

graph  isomorphism,  enumerated  by  pairing 

P 

23 

C 

graph  containment 

22 

model  containment 

48 
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c 

direct  model  containment:  ^ ,  except  the 
graphs  are  identical 

49 

c 

strong  model  containment:  ^ ,  except  the 
constituencies  are  equal 

49 

c 

strong  and  direct  model  containment:  C  and 

C  simultaneously. 

49 

> 

refinement 

54 

model  component:  ^  and  l> 
simultaneously 

56 

c 

direct  model  component:  £  with  C 

56 

c 

strong  model  component:  £  with  C 

56 

c 

strong  and  direct  model  component:  C  with 

C  and  C 

56 

x|m' 

what  X  represents  in  the  multicomponent  M' 

68 

x|p 

what  X  represents  in  the  nontransitive 
process  p  component 

68 

what  X  represents  in  the  transitive  closure 

M'  of  the  multicomponent 

68 

x|p 

what  X  represents  in  the  transitive  process  p 
component 

68 

[5] 

local  past  closure:  the  events  that  precede  or 
equal  these  guys  in  the  multicomponent 

71 

L5J 

local  future  closure:  the  events  that  follow  or 
equal  these  guys  in  the  multicomponent 

71 

next(A) 

the  event  following  A 

99 

prev(/l) 

the  event  preceding  A 

99 

nextp(/1) 

the  following  event  at  process  p 

100 

preVp(A) 

the  preceding  event  at  process  p 

100 

(A  II  B) 

the  intermediate  event  between  A  and  B 

105 

(M,a} 

representation  map  from  M(o)  to  a 

29 

((M,  M',  a}) 

the  containment  map  from  M(Qr)  onto 

M'(a),  whenM'^M 

49 

M/M' 

the  factoring  model  from  M'  graphs  to  M 
graphs 

61 
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W*  strings  of  items  from  W  11 

a ,  7  generic  symbols  for  computation  graphs;  22 

usually  a  transforms  to  ^  and  j)  transforms 
to  7 

a  transitive  closure  of  graph  a  35 

S  transition  function  1 1 

E  finite  binary  strings  1 1 

TTp  W  the  p  element  of  set  W  66 

acyclic  when  a  node  is  not  on  a  cycle,  or  a  graph  has  37 

no  cycles,  or  a  model  produces  only  graphs 
with  no  cycles 

adjusted  rollback  vector  the  rollback  vector  for  an  event,  with  with  1 10 

the  entries  for  the  other  processes  replaced 


by  the  last  acyclic  concurrent  event — usually 


the  predecessor 

adjusted  timestamp  vector  the  timestamp  vector  for  an  event,  with  with  110 

the  entries  for  the  other  processes  replaced 
by  the  first  acyclic  concurrent 
event — usually  the  successor 

arrive  event  type:  message  arrives  at  receive  queue  24 

atoms  the  nodes  and  edges  of  a  graph  22 

bounded  possessing  a  unique  minimum  event  and  a  36 

unique  maximum  event 

component  a  model  that  produces  a  well-defined  56 

subgraph  of  another  model 

computation  graph  a  labeled  directed  graph,  describing  some  21 

given  computation 

compute  event  type:  change  state;  leave  message  12 

queues  untouched 

CONFIGS  process  configurations  1 1 

concrete  generator  a  generator  that  produces  no  ghost  events  38 

concurrent  when  two  events  are  incomparable  in  a  27, 7 1 

temporal  relation;  also,  when  a  multiprocess 
pair  has  the  property  that  extrema  from 
different  processes  are  concurrent 
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DEV-CONFIGS 

device  configurations 

14 

consistent  cut 

a  cut  that  is  also  a  timeslice 

77 

consistent  parallel  pair 

a  parallel  pair  that  is  transitively  bounded 
and  view-complete 

109 

constituency 

the  atoms  in  a  that  some  atom  in  M(o') 
represents 

29,29 

contain 

a  relation  between  models,  indicating 
containment  of  graphs  via  isomorphism,  and 
containment  of  constituencies 

48 

containment  map 

the  bijection  between  a  subgraph  and  its 
isomorphic  image 

49 

cut 

a  set  of  events  such  that  each  process  is 
touched  exactly  once 

75 

cyclic 

when  a  node  lies  on  a  cycle  or  when  a  graph 
contains  cycles 

37 

V 

generic  symbol  for  domain  of  a  model 

29 

decomposition 

a  model  consisting  of  a  disjoint  union  of 
components  of  another  model,  with  some 
additional  properties 

59 

decomposition  set 

the  set  of  components  that  comprises  a 
decomposition 

59 

direct  containment 

model  containment,  when  the  isomorphic 
graphs  are  actually  identical 

49 

direct  component 

the  component  relation,  when  model 
containment  is  actually  direct  containment 

56 

domain  of  a  model 

the  computation  graphs  on  which  a  model  is 
defined 

29 

depart 

event  type;  message  departs  send  queue 

24 

DEV-NAMES 

I/O  device  names 

11 

event 

a  discrete  “thing  that  happens,”  signified  by  a 
node  in  a  computation  graph 

21,27 

externally  equivalent 

when  two  atoms  at  the  same  process  appear 
the  same  to  a  different  process 

100 

EXTREMA 

a  model  to  collapse  extrema 

37 

factoring  model 

the  new  model  taking  graphs  generated  by  a 
decomposition  to  graphs  generation  by  a 
model 

61 
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FORCE 

model  to  slide  in-nodes  of  cross-process 
edges  forward  one  position,  thus  expressing 
when  one  event  in  a  timeslices  forces  the 
membership  of  another 

115 

Q 

generic  symbol  for  set  of  computation  graphs 

22 

generator  of  Q 

a  model  taking  a  set  of  graphs  to  G 

38 

ghost 

an  atom  that  represents  nothing 

28 

global  state 

the  part  of  the  ground-level  computation 
graph  representing  system  activity  at  some 
instant  in  real  time 

93 

ground-level  computation  graph 

the  computation  graph  version  of  a  system 
trace 

25 

grounding  generator 

a  generator  that  generates  a  set  of  graphs 
from  a  set  of  ground-level  graphs 

38 

identical 

two  computation  graphs  that  completely 
match:  edges,  nodes,  labels 

23 

idle 

event  type:  nothing  happens 

32 

independent 

when,  in  a  multiprocess  model,  each 
non-bounding  atom  represents  a  single  atom 
at  a  single  process  component 

109 

isomorphism 

two  computation  graphs  that  match,  when 
we  ignore  labels 

23 

L 

generic  symbol  for  localization 

69 

LINEAR 

the  linear  order  model 

32 

linear  time  order 

a  “total”  order  that  allows  simultaneous 

events 

28 

LINLINE 

local  timeline  model  from  LINEAR 

43 

LINLINES 

disjoint  union  of  process  LINLINE  models 

45 

localization 

model  obtained  by  retaining  only  the  edges 
coming  from  the  transitive  multicomponent 

69 

locally  acyclic 

when  any  cycle  must  leave  involve  at  least 
two  processes 

101 

M 

generic  symbol  for  time  model 

29 

M 

transitive  closure  of  model  M 

36 

M' 

generic  symbol  for  a  decomposition  of  a 
model  M 

59 

M(a) 

the  graph  produced  by  M  given  a 

29 
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M(a) 

apply  M  to  each  guy  in  Q 

30 

max^ 

operation  on  an  event  set  from  7  that  retains 
only  the  relative  maxima 

78 

MESSAGES 

possible  messages 

11 

MSG 

model  that  makes  receives  follow  sends 

45 

miiiT 

operation  on  an  event  set  from  7  that  retains 
only  the  relative  minima 

78 

model 

time  model:  a  representational 
transformation  on  computation  graphs 

29 

multicomponent 

the  set  of  process  component  models  for  a 
multiprocess  model 

65 

multilinear  model 

a  multiprocess  model  where  each  process 
component  is  linear 

72 

multiprocess  model 

a  model  consisting  of  a  set  of  process  models 
glued  together 

65 

multiprocess  pair 

a  multiprocess  model  together  with  a 
transitive  reduction  of  its  multicomponent 

65 

NAMES 

process  and  I/O  device  names 

11 

NONIDLE 

model  that  removes  idle  events 

43 

pairing  between  aj  and  02 

a  subset  of  oi  x  02.  pairing  a  subgraph  of  the 
one  with  a  subgraph  of  the  other 

23 

parallel  model 

a  concurrent  multiprocess  model  with 
straight-line  process  graphs 

72 

parallel  pair 

a  parallel  model  together  with  its 
multicomponent 

72 

PH 

model  inserting  place-holder  events 

105 

photo 

event  type:  photo  event  in  ground-level 
computation  graph 

25 

POT 

model  for  partial  order  time 

46 

V{W) 

set  of  all  subsets  of  W 

14 

PPOT 

POT  with  intermediate  events 

106 

PROC-NAMES 

process  names 

11 

Q 

state  set  for  processes 

11 

Qdev 

state  set  for  I/O  devices 

14 

% 

initial  state 

11 
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R 

receive  queue 

11 

R(7,M,M',/1) 

the  rollback  vector  of  event  A  in  graph  7 
from  parallel  pair  (M,  M') 

87 

R(>4) 

the  rollback  vector  for  event  A,  when  the 
graph  and  models  are  understood 

87 

R*(7,M,M',A) 

the  adjusted  rollback  vector  of  event  A  in 
graph  7  from  parallel  pair  (M,  M') 

110 

R-(/l) 

the  adjusted  rollback  vector  for  event  A, 
when  the  graph  and  models  are  understood 

110 

receive 

event  type:  receive  a  message 

12 

representative 

the  atom  in  M(a)  that  represents  an  atom  in 

Ck 

29,29 

representation  map 

function  taking  atoms  in  one  graph  to  what 
they  represent  in  another 

29,29 

rollback  vector 

cut  containing  the  minimal  event  from  each 
process  that  follows  or  equal  a  given  event 

87 

RPOT 

restricted  POT:  restrict  the  domain  so  that  all 
graphs  produced  are  view-complete 

105 

S 

send  queue 

11 

send 

event  type:  send  a  message 

12 

strong  containment 

model  containment,  when  the  constituencies 
are  actually  equal 

49 

strong  component 

the  component  relation,  when  model 
containment  is  actually  strong  containment 

56 

strong  direct  containment 

strong  containment  and  direct  containment 
simultaneously 

49 

strong  direct  component 

strong  component  and  direct  component 
simultaneously 

56 

SYNC 

model  synchronizing  equal  length  total 
orders 

46 

system  trace 

exhaustive  physical  description  of  a 
computation 

18 

TIMELINE 

local  timeline  with  no  idle  events 

45 

TIMELINES 

disjoint  union  of  process  TIMELINE  models 

45 

time  model 

a  representational  transformation  on 
computation  graphs 

29 

timeslice 

maximal  set  of  mutually  concurrent  events 

76 
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timestamp  vector 

cut  containing  the  maximal  event  from  each 
process  that  precedes  or  equals  a  given  event 

87 

TRANS 

transitive  closure  model 

36 

transitively  bounded 

when  the  transitive  closure  is  bounded 

36 

V(7,M,M',A) 

the  timestamp  vector  of  event  A  in  graph  7 
from  parallel  pair  (M,  M') 

87 

\{A) 

the  timestamp  vector  for  event  A,  when  the 
graph  and  models  are  understood 

87 

the  adjusted  timestamp  vector  of  event  A  in 
graph  7  from  parallel  pair  (M,  M') 

110 

V(A) 

the  adjusted  timestamp  vector  for  event  A, 
when  the  graph  and  models  are  understood 

110 

vector 

an  indexed  set  of  events,  one  from  each 
process 

75 

view-complete 

when  for  every  transition  edge  at  a  process, 
an  event  has  the  same  external  view 

101 
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